Online scams have become so common that we are immediately suspicious whenever we see a pop-up on a website, get an email with a link to click, or a file to open. So how is it possible that so many people and organizations continue to fall for whatever cybercriminals throw their way?
Throughout the hundreds of apps you rely on to work, chat, and play, the most exploitable component hasn’t been patched in 1.9 million years: the human brain. While we would like to think we’re too smart to fall for online scams, this assumes we’re always on high alert and at our best. But, a lot of cyberattacks today are based on exploiting our emotions for dire results.
One of the worst types of attack to fall victim to is ransomware.
Ransomware, which refers to malicious programs that allow attackers to hold your data hostage, only has to be successful once to create serious consequences. The most tech-savvy people can get tricked by bad actors and find that their files, pictures – even those stored on a cloud account – are no longer accessible.
The sheer unbreakable nature of modern ransomware means that attackers can ask for eye-watering sums of money to decrypt user data: the average ransom attack now costs $11,500 and counting.
Ransom attacks hits consumers and small businesses the hardest – the downtime caused by a successful attack can send a promising startup into a financial tailspin. The average length of time a company is placed out of commission is 16 days; faced with the potential losses, just over a quarter of victims decided to pay the ransom. Almost all got hit with a second ransomware attack less than a year later. The final straw for small companies is the resulting mess of legal cases.
Below, we take a closer look at how ransomware works and the role that social engineering plays in these types of attacks.
What is social engineering?
Social engineering encompasses a myriad of attacks that utilize psychological manipulation in place of “hacking” abilities. Unlike other attack vectors, social engineering doesn’t require significant technical skills. Instead, think of it as tricking an unsuspecting victim into opening the door rather than picking the lock.
Social engineering attacks have many methods to reach new targets, including:
- Emails (commonly known as phishing)
- Social media messages
- Website pop-ups
- Text messages (smishing – a combination of SMS and phishing)
- Workplace messaging services (e.g., Slack, Microsoft teams, etc.)
Effectively any possible way to reach people is exploitable by bad actors.
Social engineering involves some form of deception, often faking correspondence to look like a trusted sender. By pretending to be someone they’re not, cybercriminals get people to perform a specific task that grants them access to your computer, phone, or a specific online account. This could be downloading files containing malware or entering login information on compromised websites.
While many are wary of online communications, social engineering tries to overcome reasoning by invoking an emotional reaction, getting us to react quickly without thinking too much. Emotions exploited in social engineering attacks include:
- Fear: Tricking users into believing they’re at risk if they don’t act quickly. This could be a fake warning about their computer or account being compromised or a real-world scenario such as a new health risk.
- Curiosity: Piquing someone’s interest to cause them to click a link or download a file. Examples could be related to the victim’s specific interest or a celebrity/organization tagging them in a social media post.
- Urgency: Adding time pressure to the communication. “Act now to get this great deal” or “Malware Blocked – Urgent Action Required!”
- Trust: Using people’s trusting nature to gain access to their devices. This could be impersonating a friend or colleague or pretending to be law enforcement or other government agency. It’s very easy to click on a work email and open the attachment before you even start reading the text and become suspicious.
- Goodwill: Exploiting the victim’s compassion by impersonating a friend in need or a charitable organization.
How malware spreads using social engineering
Cyberattacks and malicious software can spread in many ways using social engineering. In the case of ransomware, phishing is traditionally the primary delivery method, accounting for 54% of vulnerabilities in 2020.
Other forms of social engineering attacks spreading malware include:
- Spear phishing: While phishing can be seen as a crude form of cyberattack, targeting many people with low-effort emails, spear phishing is a more advanced version utilizing targeted messages. Spear phishing identifies select individuals or groups with similar traits (characteristics, job, contacts, etc.) and then produces tailored messages to look more convincing. They generally take significantly more time, and effort from the cybercriminal but have a much higher success rate.
- Baiting: Using false promises to lure victims into a trap where personal information is stolen or malware infiltrates their computer. Typically, baiting uses a false promise to manipulate a person’s greed or curiosity. This could be online, for example, in advertising or in the physical world. Attackers have begun to leave physical media, such as flash drives, in popular locations. The curious victim then unknowingly connects a malware-infected device to their own computer.
- Scareware: Using alarming statements, fake threats, and bluffs to deceive victims into installing malware software on their computers. Common forms include online pop-ups or spam emails informing someone their computer is already infected with malware. This causes them to click on an unsafe link or download fake cybersecurity software, which is actually malware.
- Pretexting: Through detailed and planned lies, bad actors build trust before tricking a victim into providing sensitive information. The attacker takes time to believably impersonate police, co-workers, or banking and tax employees, extracting sensitive data under the ruse of performing a critical task for the victim.
How to protect yourself from social engineering attacks
Each and every one of us can do a lot to protect ourselves from social engineering attacks. Best practices include:
- Implementing 2-factor authentication (2FA) so you know when anyone is trying to access your online accounts.
- Using a password manager to create strong and unique passwords for each of your accounts.
- Exercising safe inbox behavior such as having high spam filter settings, and only opening emails from trusted senders.
- If you’re still unsure, consulting a tech-savvy friend, colleague, or family member before clicking on a suspicious message that claims to be from the bank, post office or any big-name company.
- Installing top-of-the-line security software and ensuring it remains up to date.
When it comes to securing your devices, ZoneAlarm Extreme Security NextGen should be your first line of defense.
A complete security suite for multiple devices, ZoneAlarm Extreme Security NextGen offers one-of-a-kind anti-phishing and social engineering protections. When you follow a link to a website, ZoneAlarm Extreme Security NextGen scans every field on the webpage (e.g., URL, title, signature, visible text, etc.). Until these checks are complete, any spaces for login credentials on the page remain blocked. That way, you know a website is safe and secure every time you enter your email address, username, or password. ZoneAlarm Extreme Security NextGen also comes with award-winning anti-ransomware protection. With unique behavioral-based anti-ransomware technology, you get protection against zero-day ransomware protection. Plus, if the unthinkable does happen, all encrypted files are easily restorable.