It Wasn’t Me!

ChannelBytes

The Curse of Social Engineering

It’s quite mind boggling that in 2024, when almost everyone is aware of risks, the number of cybersecurity attacks that organizations encounter on a daily basis continues to rise.

More curious is that many of these attacks target employees, often tricking them into unintentionally giving criminals access. Do people let down their guard and think that it won’t happen to them or are criminals getting more devious?

With companies upping their game on system security, it makes sense that that instead of trying to break down the front door, criminals simply get someone to unlock it from the inside or leave a window open.  Maybe it’s the fact that employees are thinking that cyberattacks need to be sophisticated. That simply opening an email or clicking on a link can’t possibly cause harm. Statistics say otherwise:

It’s estimated that social engineering, in particular, is responsible for the majority of cyberattacks with more than 3 billion phishing emails sent on a daily basis. Most organizations have policies in place, conduct employee security training, and yet the attacks are persistent enough, that many of them succeed.

An interesting tactic being used is to scare employees into thinking that they have done something wrong. Or if they don’t do as asked, that they will be doing something wrong. Cybercriminals leverage company knowledge, sometimes even pretending to be management sending an instruction to more junior staff. Even if the request seems fishy, sometimes employees are too fearful to question it, in case it puts their job at risk.

It’s the classic con job, using half truths on the pretext that it’s a legitimate request, and all too often unsuspecting employees fall for it. The problem is when the whole truth is unearthed, employees often claim innocence. “We’re just human”, they say, “We make mistakes, we didn’t know!”

Given the tech realm that most companies operate in and how entrenched it is in our daily lives, as what point is that excuse no longer valid? Companies can have the most sophisticated cybersecurity policies and defences in place, but if employees are apathetic in adhering to them, they may as well leave all the doors open.

Take for instance Multi Factor Authentication. It’s a simple way to make it harder for cybercriminals to access systems. Yet for most employees, they find it annoying or cumbersome. It’s one extra step, takes all of two seconds of their time, yet, if they can avoid it, they will.

Perhaps the lesson in this is to stop looking for the sophistication and get back to basics and do the simple small things that can make an impact.

For individuals, to be vigilant and know that things aren’t always as they seem. To not be afraid to ask or check if something seems amiss. For companies, equip employees with the knowledge of where the risks exist and how sneaky cybercriminals can be. Most importantly to empower employees with the understanding of what to do if they are targeted. In the end, nobody really want’s their identity to be used and be caught out saying: “It wasn’t me!”

Want to be featured on ChannelBytes?