Social Engineering and Its Threats

Cem Baris 20.11.2017

No matter how big or small the company may be, defending against attacks requires an increase in the awareness of cybersecurity.

Social engineering attacks have been a constant throughout history since the Greeks gifted the Trojans a large wooden horse. Today, Trojan horses no longer manifest themselves in large equestrian structures but rather through malicious programs spread through social engineering; the act of psychological manipulation of a human.

Social engineering is most commonly seen in Phishing and Spear Phishing attacks, the act of fraudulently obtaining private information through either a single or multiple target attack. The difference between the two comes down to the attention to detail the sender puts into the content. They are typically seen in emails from a supposed reputable source containing a link or attachment with malicious content embedded inside.

No matter how strong the anti-virus program or the email security technology, attacks of this nature still take place in companies of all sizes. Programs are getting wiser to attacks but nobody can guarantee 100% protection. The reason for these attacks is in part due to company personnel not recognising an attack when they see one for e.g. the “Quarterly Sales Figures.pdf” or “A Message from Management.docx” attachments may look legitimate, but why is the company name spelt wrong and since when did your line manager’s email address have a number at the end? Attacks have come a long way from the emails of supposed princes in far off countries offering to fill your bank accounts with millions.

Overlooked details such as these are part of the reason why phishing and spear phishing attacks equate to 90-95% of all successful attacks according to security company Ironscales. They pray on the lack of training and understanding of employees to not recognise an attack before it can take place. Defending against these attacks requires an increase in the awareness of cybersecurity. 

From 1st November 2016 the UK Chancellor, Phillip Hammond launched the National Cyber Security Strategy which has and will continue to invest £1.9 billion in providing training and development for UK companies. The question is, how effective has this investment been in inhibiting the onslaught of attacks? Why are we still seeing example after example of social engineering attacks succeeding? The answer is because companies do not follow simple steps. More often than not, all it takes is not opening an attachment unless you can verify the content. Picking up the phone and speaking to the sender may seem like a pain, but rather that than continuing to inflate the total loss to businesses which stands around £29 billion in 2016 to British companies alone. 

Companies such as Snapchat, Mattel and Deloitte have all fallen victim to a variety of different social engineering attacks which have in turn lead to the companies’ losing out, proving that no matter the size of the business and how much money has been invested into protection nobody is safe. The real fear for companies comes when other exploits are used in conjunction with social engineering. A human mistake can open the door to viruses, malware and ransomware.

With 90% of all email being spam and viruses, it is only a matter of time before one slips through the net. In spite of this, steps can be taken to inhibit the threats. Investments into stronger anti-virus and email security products will always be helpful. However, it starts with prioritising roll outs of training for attacks like this for all companies, accompanied with refresher sessions throughout the year that reveal new attack developments. In my opinion, this should be basic practice across all companies no matter the size.

Cem Baris's picture


Test manager, test lead, epsom, test scripts
Data Analyst - Fintech - London