Time to take Social Engineering attacks seriously

Social Engineering Attack methods have been surging at a devastating pace since the pandemic. This type of attack is targeted on the employees of an organisation. When the attackers have a hard time cracking into the network of an organisation they start to focus on the employees. The main motive is to provide manipulated information to the targeted employee or employees via email, SMS, text messages from WhatsApp etc.

Did you Uber? I’ll Uber now! The most commonly used phrase to book travel this decade.

We all have such mobile applications (not just Uber) installed on our mobile devices for those just in case moments. But even the largest of business entities are vulnerable to social engineering attacks, which Uber were unfortunate to discover last week when a hacker claimed to have breached their company.

It is reported that the breach occurred via one of the Uber employees to whom the attacker sent MFA (Multi Factor Authentication) requests continuously until the frustrated employee accepted it. Such type of attack has been termed as ‘MFA fatigue’ which is an emerging branch of Social Engineering attack.

It was an 18-year-old hacker who alleges to have breached into the Uber network and gained access to their data. The hacker introduced himself in one of their slack channels;

“I announce i am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 phabricator have also been stolen along with secrets from sneakers #uberunderpaisdrives”

For Uber, the full ramifications of the attack are yet to be seen and undoubtedly there will be a long post-incident reporting process to come.

It is certainly worth pausing for a moment to reflect on your own organisations security protocols and remembering there are many other ways to be exploited by social engineering attack such as; using a stranded memory stick, employee impersonation, unwanted scanning applications installed etc. It is essential to keep your employees aware of and cautious to such attacks.

Best practice:

• • The IT department of a company should secure the details of the employees to avoid attackers contacting the employees via SMS, call and text messages

• • Employees should be more cautious before making an action related to logging into their office accounts

• • The IT department should update their security standard and methodology but should ensure that it is not complex for the end user (confused employees are more vulnerable)

• • Employees should be educated regularly on the ongoing cyber incidents

• • The IT department should conduct regular Phishing simulations to monitor the awareness of the employees to such attacks and should provide training materials and tests to the employee who require attention

• • Employees should report any actions which cause concern to the IT department

• • IT departments should provide an easily accessible medium for the employees to report a security incident without blame

CyberLab for educating your employees:

‘Educate’ is one of our core mottos – empower your workforce to be your first line of defence.

CyberLab Control, Cyber Security as a Service (CSaaS) offering, includes bespoke interactive training courses for your entire team. Identifying your employees’ security blind spots and tailoring awareness training to suit their needs.  Enhanced with real-world phishing simulation campaigns to help employees learn how to detect and avoid phishing attacks.  

We are helping our customers to achieve a secure environment, which involves human intervention from the outset.

Learn more about CyberLab Control here.