Companies face an increasing risk of social engineering-based threats to their security and data, Christoper Hadnagy, “Chief Human Hacker” of social-engineer.com, emphasised in his keynote speech on day two of UC Expo 2018, warning that it is often cheaper and more effective than technical hacks for criminals.
Hadnagy founded Social-Engineer.com in 2004 in Brooklyn, Pennsylvania. It is the “world’s first social engineering penetration network”. The author and security expert is also founder of the cult “Social Engineering Capture the Flag” competition at popular hacker conference DEF CON.
The definition of social engineering, as he explained, is quite broad as it involves “any act that influences a person to take an action that may or may be in their best interests”. ut it is increasingly prevalent and companies need to take a “when not if” attitude to its likelihood, he emphasised.
With recent research from the Ponemon Institute showing that the average cost of an insider-related incident (whether intentional, negligent, coerced or persuaded through such social engineering) over a 12-month period is $8.76 million (£6.4 million), and it takes more than two months, on average, to contain an insider incident, the topic is firmly on the radar of many businesses.
The Social Engineering Spectrum
Phishing, SMShing (form of fraud that uses mobile phone text messages to lure victims into calling back a fraudulent phone number or downloading malicious content) and and vishing, the practice of using the phone to fraudulently gain access to personal information, are a few examples of social engineering.
Christopher highlighted that there were over 200,000 new malware samples every day with a further 4,000 ransomware attacks captured per day last year.
He also mentioned 91% of corp phishing attacks involved name spoofing with a 500 percent increase in social media phishing in Q4 2017.
He also talked about how there have been over 60 major SMShing stories in 2017, with 14 percent replying to texts whereas 26 percent call the number sent via text and a further – shockingly high – 60 percent of victims click the website link sent via a text message or SMS.
When it comes to vishing, Hadnagy noted that millennials were mostly unaffected by this form of social engineering. A striking 60 percent of the 45-65 age demographic are prone to vishing attacks despite there being at least 45,000 reported attacks in 2018 and over $16 billion (approx. £11.8 billion) lost through phone scams in the US.
His concluding message at the keynote that for individuals and companies to be properly educated around social engineering, phishing, SmShing and vishing, they need to change from an “if to when” mentality.