Did you know, in the first half of 2022, there were 817 cases of data compromises in the United States, and over 53 million individuals were affected?
A multinational hospitality group faced an attack that caused their IT system to shut down for 2 consecutive days. After tricking an employee into downloading a malicious piece of software through an email attachment, this hotel chain’s attackers obtained extremely sensitive information that included the password to their internal password vault, QWERTY1234 to be exact. The attackers then began irreversibly destroying the hotel chain’s data, documents, and files.
After persistent login attempts to a ride share company employee’s account, an attacker manipulated an external employee into accepting a two-factor login approval request. The attacker was able to then register their own device for multi-factor authentication (MFA), successfully login, and obtain access to several employee accounts, send messages through the companies’ Slack channels, and reconfigure the OpenDNS to display a graphic image on internal websites.
The situations mentioned, both occurring in September 2022, demonstrate effective social engineering. Social engineering is the use of social methods to manipulate individuals into divulging personal or confidential information which can then be used for fraudulent purposes. While these methods are not new, the strength of these continually evolving attacks is alarming and should be noted as it is a favorite among cybercriminals.
Current Social Engineering Tactics
Phishing
More than 90% of successful cyberattacks begin as phishing emails. One of the most common threats to date, phishing, consists of attackers sending malicious messages to gain personal, sensitive information. Hoping to obtain financial knowledge, sensitive materials, and system credentials, these inexpensive messages mimic genuine businesses and result in high-target profits based on the valuable data obtained.
Utilizing fear and urgency tactics, an attacker’s overarching goal is for users to miss warning signs and trust an email they might otherwise report. Emails sent will mention a restricted account, password change, or unrecognized login to name a few. For businesses, common tactics may include fake invoices that trick payroll into sending money or opening a damaging website.
MFA Fatigue
A strategy rising in popularity among hackers, MFA Fatigue, occurs when an attacker runs a script that repeatedly attempts to login with stolen credentials, resulting in an endless stream of MFA push notifications. In addition, attackers will also send emails impersonating IT support, in hopes to validate the notifications. The end goal is to overwhelm the target by creating a sense of “fatigue” in hopes the user approves the MFA request to get the notifications to stop. Or, because the user is used to getting multiple MFA requests a day they become used to just approving them so they can work. The MFA request if approved — allowing the attacker to successfully login.
Pretexting
A manipulative technique that tricks victims into disclosing sensitive information, pretexting involves a fictional situation, developed by an attacker, that results in stolen personal data. During these attacks, hackers will ask targets for specific information, assuring that it is needed to confirm their identity. These attackers may present themselves as IT, HR, or C-level executives hoping to validate and obtain your personal information to carry out secondary attacks.
It is important to note that phishing is a tool, whereas pretexting is an attack method. Phishing requires victims to download dangerous attachments or visit dangerous websites by utilizing fear. Pretexting, on the other hand, builds a false send of trust with the target, strengthening a believable story to avoid detection.
Protect Yourself with Proper Passwords
Implementing a strong password is key in being your first line of defense from cyberattacks. Protect yourself with these simple and effective best practices:
– Continually change your password at least once a quarter.
– Do not use the same password for multiple accounts.
– Utilize unique passwords that are difficult to guess and lengthy. Strong passwords must be at least 12 characters and utilize a combination of letters, numbers, and symbols – try creating a sentence.
– Do not store passwords in unsecured locations like an excel file on your desktop or post-it notes on your desk.
– Use multi-factor authentication. This method requires users to provide two or more verification factors to gain access to a resource.
– Consider a password manager. These software applications utilize highly advanced encryption and security designed to store and manage your online passwords.
About Brian Bobo
As Chief Digital Officer at Greenway Health, Brian is responsible for Greenway’s IT organization, overseeing the cloud-based environments of thousands of clients. Passionate about building teams and fostering collaboration, he is skilled at creating long-term cyber strategies. Brian holds a Bachelor of Science from the U.S. Military Academy at West Point and an MBA from the University of Florida, and he serves on the advisory boards of the University of South Florida’s Cybersecurity for Executives program.