Today's threat landscape is dynamic, and together with technological development, changes are taking place so quickly that it is difficult to keep up.
By having access to the internet, the attackers could be everywhere and anyone. The attacker could attack the technical systems (utilize technical vulnerabilities), the humans controlling the systems (utilizing cognitive biases), or a combination of these two.
When attacking the human(s) controlling the system, the attacker takes advantage of psychological manipulation techniques, where they influence human(s) to perform actions or disclose confidential information. This attacking technique is often referred to as social engineering, which is based on specific attributes of human decision-making known as cognitive biases. In comparison to technical vulnerabilities, social engineering use known cognitive biases as a bug to get past the human firewall. In fact, a staggering 98% of cyber-attacks rely on humans falling victims to social engineering.
In theory, psychologist Robert Cialdini established six principles upon which social engineering relies heavily upon. The six key principles are:
The attacker utilizes these principles when performing vishing, smashing, and phishing attacks. All these attacks have that in common that they are performed against a human victim with the aim of them disclosing information.
Having employees with knowledge of how to spot social engineering attempts is and will remain to be, important to reduce the risk of being attacked. Academic research establishes that employees often do not see themselves as part of the organization's information security firewall, and often take actions that ignore organizational information security best interests.2 Furthermore, research clarifies the need for having an information security culture as a continuous process to improve security. This is also backed by digital development and the evolving threat landscape.
One example is the development of Deepfakes – a technique utilizing artificial intelligence to create a video or voice of a person in which their face, body, or voice has been digitally altered so that they appear to be someone else or doing or saying something which they never did or said. Today, attackers use this technology in vishing to create attacks that are challenging your employees’ knowledge to spot social engineering attempts in a much greater way than before. Just a few years back, in 2020, a bank in Hong Kong was scammed for 35 million dollars, where the attackers were using deep voice.
Are your employees ready?