LAS VEGAS—Most cybercrime employs social engineering, Jerry Beasley of TraceSecurity told attendees of the CUNA/National Association of State Credit Union Supervisors Bank Secrecy Act (BSA) Conference here.
Beasley explained that social engineering techniques are deliberately designed to people’s inherent vulnerabilities, CUNA reported.
“A significant part of all data breaches involves some form of social engineering because it is taking advantage of the human condition,” Beasley told the meeting. “Basically, it’s usually getting people to make some kind of decision based on what they’re seeing or hearing in a message.”
According to a 2016 report on data breaches from Verizon, 35% of data breaches are caused by social engineering. Hacking causes 62%, while physical breaches cause 6% and malware causes 2%, CUNA said.
The top social engineering technique—phishing—has seen a 95% jump in recent years, which has been attributed to state-affiliated espionage, Beasley said.
Phishing involves an individual getting an email that looks to be from a financial institution, utility company or retailer, asking them to click on a link to provide them with certain information.
Attacks generally employ persuasion, impersonation, urgency or novelty to catch someone’s attention. Attackers then rely on individuals’ trust, curiosity, conditioning and lack of defined protocols, Beasley told the meeting.
Scammers can send individuals emails that look to be from a financial institution, or utility company, or even a personal email from a co-worker.
Beasley said that credit unions should strongly consider social engineering prevention training that:
-
Must be frequent
-
Is conducted on a varying schedule and in varying formats, including a personal greeting or member account action
-
Reports what went wrong and what was successful
-
Should illustrate the impact with pictures, videos or descriptions of the events
-
Is realistic, using tools and techniques from real attacks
- Measures specific actions, such as clicking, downloading, following links and opening attachments.
“I’ve never seen an institution fail to see a change once they enacted a program to combat these kinds of attacks,” Beasley said. “You generally see an increased awareness, a change in attitude and more comfort when it comes to dealing with cybersecurity.”