Here are some updates on social media risks and trends, and how we can reduce exposure to social engineering campaigns

Social engineering has emerged as one of the most potent tools in a cybercriminal’s arsenal. Unlike traditional hacking methods that exploit technical vulnerabilities, social engineering preys on human psychology. This approach is effective because it leverages inherent human traits such as trust, curiosity, fear, and the desire to help others.

One of the primary reasons social engineering is so effective is its ability to bypass even the most sophisticated security systems. When peppered with the right personal details and references to actual colleagues and business contacts, a phishing email can trick employees into revealing sensitive information, without triggering any security alarms. 

Social engineering involves various techniques to achieve their goals. Phishing, vishing (voice phishing), smishing (SMS phishing), and pretexting are some common tactics. Phishing involves sending emails impersonating sources usually trusted by people, prompting recipients to click on links or login pages and sensitive information.

According to Shannon Murphy, Global Security & Risk Strategist, Trend Micro, cybercriminals are using generative AI to make it easy to send targeted, error-free, and tonally convincing messages on a mass scale in multiple languages. “And this is already branching beyond emails and texts to include persuasive audio and video ‘deepfakes’ for an even more business-affecting threat,” she said.

Shannon Murphy, Global Security & Risk Strategist, Trend Micro

Another perennial factor contributing to the effectiveness of social engineering is the attackers’ ability to gather information about their targets. With the advent of social media and the internet, cybercriminals can easily collect data about individuals and organizations. This information is then used to craft personalized attacks that are more likely to succeed. For example, an attacker could pose as a colleague or a trusted service provider (a business-email compromise), using details gleaned from social media profiles to build credibility.

Reviewing our online social habits

When internet connectivity and photographic features in mobile phones finally improved in affordability and quality, social media platforms caught on in a big way. Digital natives thrived on information exchange media platforms, professional networking sites, and various online communities, spreading their passion for reaching out with young and old.

While these platforms offer numerous benefits, they have also presented significant risks, particularly when it comes to social engineering. One of the key factors that make individuals susceptible to social engineering attacks is their tendency to overshare personal information online.

People often post details about their lives, such as their daily routines, whereabouts, achievements, and even their life stories. Sharing this information openly (instead of restricting access to close circles of friends), while seemingly harmless, was and continues to be a goldmine for cybercriminals.

Moreover, the desire to connect with others and expand one’s network can lead to accepting friend requests or connection invitations from strangers. This behavior has already been linked to countless cases involving cyber bullying, blackmail, sexual exploitation, pedophilia and other social abuses.

By publicly celebrating promotions, new job roles, significant accomplishments, and also tagging one another to spread the information, internet users have inadvertently provide attackers with valuable information about their lives for years. This information has been used by scammers and fraudsters to craft targeted attacks, such as spear-phishing messages and emails that appear to come from a trusted source.

Creating a culture of social media vigilance
According to a contributed story by Fabio Fratucello, Field CTO (International), CrowdStrike, “as adversaries rely on identity attacks such as social engineering to gain initial access to networks, security teams across all maturity levels must be more proactive in detecting and mitigating evolving threats. Enhancing technological capabilities for identity- and endpoint- monitoring is a step in the right direction. Having unified visibility across security operations eliminates gaps or silos that adversaries could exploit.”

Fratucello also recommended more education and training of employees on security procedures and the associated risks of non-compliance to foster an ingrained culture of social vigilance.

Other experts have frequently shared the following tips will be useful for people young and old who are exposed to, or are drawn to, sharing information online — whether for personal or professional matters.

  1. For IT teams: Conduct regular training sessions and simulated phishing tests to emphasize the importance of cyber hygiene involving social engineering.
  2. For general users of social media: Imbibe a healthy level of skepticism in all contacts to collectively boost social engineering vigilance. With AI and deepfakes now making scams and spear-phishing campaigns even more difficult to identify, everyone should be on high alert — especially when faced with typical approach methods involving the usual topics of urgent crises/personal matters; delivery failures; monetary/information requests; unsolicited business/investment propositions; giveaways and prizes, health scares and clickbait-like claims to prompt people to respond and act.
  3. For all users of social media: Limit information sharing: People should be cautious about the information they share online. Examine and turn on every privacy setting on the social media platforms. So platforms even change private setting defaults and add new ones periodically: make sure to stay updated on the changes, or else settings previously thought to be sufficient could have been overridden by new platform policies and tweaks. Restrict sharing of information to specific circles of contacts, and make sure to remind them to be discreet about spreading any information that is deemed for their eyes only.
  4. For cyber defenders and IT teams: Implement strong security measures (such as biometric or non-hackable multi-factor authentication) and conduct regular security audits to identify vulnerabilities. Ensure that security measures are up to date, including assessments of both technical systems and human factors.
  5. For everyone in general, also note this: : Your behavior on social media platforms can invite unpleasant actions, including trolling, doxxing, and stalking by online ‘frenemies.’ Therefore, always follow the chat group rules; mind your language and tone; avoid personal attacks, and treat others with respect. When disputes arise, keep your emotions in check, and defer to moderators when necessary.

By understanding the dual aspects of social engineering and taking proactive steps to enhance cybersecurity hygiene, individuals and organizations can significantly reduce their risk of falling victim to social engineering attacks. The key lies in balancing the benefits of connectivity and information sharing with the need for vigilance and security.