Zurich, June 2023 – Social engineering attacks are on the rise around the world, and, with the emergence of tools based on artificial intelligence (AI), such attacks will clearly become even more sophisticated in the future. According to a recent study by Bitkom e.V., almost one in every two companies has experienced an attempted attack. Nevertheless, persistent myths about this type of attack are causing companies to make poor decisions.
Social engineering attacks are part of everyday life in any company. That’s because spying on sensitive data is not only a lucrative form of blackmail for cybercriminals but also costs companies dearly in other ways. Many companies make mistakes when dealing with social engineering that can make it easier for attackers to succeed.
Nevis Security AG dispels the five most common myths about social engineering attacks and offers advice on how companies can successfully detect and therefore prevent this type of attack.
Technical security measures are sufficient
While security software such as firewalls and anti-virus programs are still important lines of defence against all types of attacks, social engineering involves targeting humans as the weakest link in the IT security chain. The goal of the attacker is to manipulate people so that they reveal things such as login details or other sensitive information. Consequently, one of the most common vulnerabilities is a lack of employee awareness. It is important to provide regular training and to raise employee awareness in order to prevent them from unwittingly falling for the tricks played by criminals.
Social engineering only involves phishing
Highly personalised attacks are especially promising for criminals. Ploys such as bogus telephone calls are an increasingly popular way of gaining access to sensitive data. Tactics are usually calibrated to the desired outcome: techniques such as the alleged expansion of the target’s authority (the CEO scam), objectivity, sympathy or curiosity are exploited to persuade people to share data. Along with the use of multi-factor authentication, a risk-based approach or adaptive authentication can provide a solution to this particular hazard. For instance, if a user makes use of a device other than the one registered for official use, they are requested to complete an additional authentication step.
You’ll only be attacked once
Once hackers have gained access to the system, they will often carry out multiple attacks. Social engineering, in particular, acts as a gateway for further attacks. Once criminals have successfully authenticated themselves in a system or an application, they can install additional malware, such as ransomware. The extent of this may not be immediately apparent as the malware can be set to stealth mode. This allows the attackers to strike when the time is right. Based on the principle of ‘nipping problems in the bud’, companies should implement strong authentication solutions to make it as difficult as possible for hackers to break into a system or application.
My employees and my customers are uniquely identified, so they’re authorised
A person who is registered is not necessarily entitled to be registered. If companies don’t bother to verify the identity of a person properly, especially when sensitive data is involved, this can have serious consequences – including from a compliance perspective. It is therefore important that companies not only ensure that authorised persons have access to data but also implement strong MFA (multi-factor authentication) solutions. If the attacker manages to breach this line of defence, a continuous authentication solution backed by risk-based authentication may be an effective second line of defence. A continuous authentication process verifies the identity of both the user and the end device while running in the background without interrupting the session. This allows a company’s IT security experts to detect an unauthorised attempt to access an account more quickly.
Only naive people fall for social engineering attacks, so passwords are all we need
As a result of sophisticated methods such as social engineering attacks conducted in real time, even well-informed people can fall victim to hackers. When inadequate security policies are added to the mix, things get dicey. Many companies still rely on passwords, as a study by Nevis reveals. Ten per cent of the IT decision-makers surveyed admitted that they don't take any security precautions at all. What’s more, only half of all IT decision-makers surveyed had heard of cybersecurity standards such as FIDO, OAuth or WebAuthn. It has long been known that passwords are not secure. The use of MFA based on biometric features makes it more difficult for hackers to penetrate systems because it’s more difficult for this type of authentication to fall into the wrong hands.
Stephan Schweizer, CEO of Nevis Security AG, comments: ‘Rapid advances, especially in artificial intelligence, will also make it easier for cybercriminals to carry out automated attacks. This means that criminals with virtually no technical expertise can launch social engineering attacks to gain illegal access to sensitive data. In addition, Fraud as a Service, which essentially allows criminals to make their expertise or software available to laypersons, represents an added threat in the area of cyber security. Companies ultimately need to take these threats seriously and make it difficult for hackers to steal data.’
Nevis develops security solutions for the digital world of tomorrow. Its portfolio encompasses passwordless logins, which are intuitive to use and offer optimal protection for user data. Nevis is the market leader for Identity and Access Management in Switzerland and secures over 80 percent of all online banking transactions. Public authorities, leading service providers, and industrial enterprises worldwide rely on Nevis solutions. The authentication specialist has locations in Switzerland, Germany, UK and Hungary.
LEWIS Communications GmbH
Mareike Funke, firstname.lastname@example.org