It is understandable that, when cybercrime happens to you, you can feel like you were targeted. And you certainly might be correct. However, more often than not, you weren’t originally the target at all. You just provided the best opportunity to the criminal. In most cases, social engineering involves an opportunistic attack that doesn’t – initially – target anyone in particular. Instead, attackers search broadly for weaknesses or vulnerabilities that they can use to mount a more in-depth attack. If they snare a victim in their net, they can then go to work.
It’s nothing personal
Unwanted messages and calls bombard nearly all of us on a regular basis. For most, these solicitations via junk mail, spam email and robocalls are just incredibly annoying – even inducing a bit of eyerolling. Most of the time, we simply hit ignore, mark as spam, delete or toss junk mail in the rubbish knowing that these messages are most likely so-called mass-market scams. Many people are often surprised by the amount of junk or spam they receive, especially because so many of the scams are so obviously illegitimate. But the reason you still get emails from a Nigerian prince offering cash out of the blue in exchange for something is because people continue to fall for such stories. Not huge numbers, but a few. And that’s all it takes to make a profit.
Opportunist attacks are not personalized to their victims and are usually sent to masses of people at the same time. They are akin to drift netters, casting their nets “out there” – whether it’s ransomware, spyware or spam – and see what comes back. The aim is to lure and trick an unsuspecting victim to elicit as much information as possible using SMS, email, WhatsApp and other messaging services, or phone calls. Their motives are primarily for financial gain. They just want money. They don’t have a vendetta against a particular person or company. It’s a virtually anonymous process.
Phishing scams: Opportunity makes the thief
The Nigerian prince story is on the lower end of the scale in terms of a convincing narrative. However, the grammar errors and simplicity in these attacks are actually intentional as they are serving as a filter. They are filtering the “smart” responders out with the goal of refining their list, allowing them to more strategically target their victims. But have you ever stopped to ask yourself why you got the email in the first place? Spam may be a reality, but you are probably getting unwanted attention because you have a wide personal “attack surface.”
Our digital footprint is more public than we would ever imagine. Every time we perform an online action, there is a chance we are contributing to the expansion of our digital footprint. So, while you and I might be aware that the Nigerian princes of the world are not genuine – more sophisticated and successful attacks are also in circulation. If you have a large and messy digital footprint, you are putting yourself on the opportunist radar and are in line to receive more refined and authentic looking queries.
Since cybercriminals are continuously devising clever ways to dupe us in our personal lives, it is just as easy to hoodwink employees into handing over valuable company data. In fact, according to Verizon’s Data Breach Digest 74% of organizations in the United States have been a victim of a successful phishing attack. Fraudsters know that the way to make a quick buck isn’t to spend months attempting to breach an organization’s security, it’s simply to ask nicely for the information they want so they can walk right through the front door.
Opportunity amid a pandemic
With social engineering opportunists tending to take advantage and capitalize on vulnerabilities exposed, the pandemic created ideal conditions to exploit businesses and corporations. In less than a month into the onslaught of the pandemic, phishing emails spiked by over 600% as attackers looked to capitalize on the stress and uncertainty generated by Covid-19. Businesses that were forced to work remotely became more susceptible to opportunists. The pandemic changed the attack surface, Researchers said,“… security protocols have completely changed – firewalls, DLP, and network monitoring are no longer valid. Attackers now have far more access points to probe or exploit, with little-to-no security oversight.”
To mitigate risk, focus on both threat and vulnerability
The standard corporate security structure is optimized to handle specific, targeted attacks on corporate assets. Unfortunately, social engineering is often overlooked because of the very non-specific nature of it. Attack by opportunity only requires unwitting cooperation by an employee who was not specifically targeted but self-selected simply by clicking on a link.
Social engineering may even be more dangerous in our pandemic-driven distributed work environments. Corporate and personal spheres overlap more than ever and can provide social engineer opportunists more footholds into our confidential lives – both private and corporate. Both individuals and corporate security leaders will do well to shift greater focus on vulnerability reduction to provide less opportunity to social engineers.