THE EFFECT OF SOCIAL ENGINEERING: INSIGHTS FROM THE SAMSUNG EXPOSÉ
Hello there!
Welcome to today’s episode of Privacy Notes.
Our topic is on the effect of social engineering and how it may have been a potent tool used by cybercriminals to carry out an attack that resulted in unauthorized access to customers’ information that occurred in Samsung. Social Engineering is the act of human hacking to commit fraud and identity theft[1]. This article will discuss how individuals and organisations can identify social engineering tactics and how to be on guard against it.
The Samsung Data Breach.
Samsung released a Notice stating that sometime in July 2022, an unauthorized 3rd party obtained information from some of Samsung’s United States systems, and it was discovered that the personal information of some customers was affected. However, the said disclosure did not affect information such as credit/debit card numbers and social security numbers but information like their names, product registration information, date of birth was exposed[2].
Samsung added that the information collected from customers assists in delivering the best experience with its products and services. Although, it is not aware of the number of customers affected by the breach or who was behind the attack, hence its reason for not disclosing the breach for almost a month. While the attack is now behind Samsung, steps have been taken to secure the affected systems and engage outsourced cybersecurity services to lead the response efforts.[3]
It recommended its users to be cautious and take security precautions against potential social engineering attempts by cyber attackers. They include:
– Do not click on links or download attachments from suspicious emails.
– Regularly review accounts for dubious activity.
– Be cautious of unsolicited communication requesting for personal information or requesting to click on a web page[4].
From a careful reading of these recommendations from Samsung, it can be deduced that social engineering tactics may have been a gateway that led to the data breach that occurred at Samsung. According to Forbes, the most common causes of cyber-attacks are malware and phishing[5]. Also, the Federal Bureau of Investigation’s Crime Complaint Centre (IC3) issued a public announcement on Business Email Compromise (BEC) attacks, stating that they use a variety of social engineering and phishing techniques to break accounts and deceive companies into transferring huge amount of money to cyber criminals.[6]
What is Social Engineering?
Social Engineering is an act of manipulation that exploits human error to acquire private information, access, or valuables. This form of scam tends to lure unsuspecting users into exposing data, spread malware infections or give access to restricted systems. The attack could be done online, personally or via other forms of interaction[7] by trying to exploit the victim’s lack of knowledge because this scams dwells on how people think and act as the attacker needs to understand the user’s actions in order to deceive and manipulate the user efficiently[8].
Types of Social Engineering Tactics.
- Phishing: It exploits human mistakes to acquire credentials or spread malware. Phishing attackers pretend to be a trusted person or organization in an attempt to convince the victim to expose personal data or other valuables. Phishing attacks could be done by spam phishing which involves a widespread attack aimed at many users while spear phishing (Whaling) targets a particular user. Specifically, whaling targets high value individuals in the society or in an organisation[9].
- Voice Phishing: This attack is also known as vishing and occurs where phone calls are made to victims by instructing them to disclose critical financial personal information to unauthorized persons[10].
- Email Phishing: This is the most common type of phishing whereby a crook will register a fake domain that resembles a genuine organization and sends thousands of generic requests[11].
- Pharming: This attack redirects a website’s traffic to a malicious site that impersonates the website by exploiting system vulnerabilities that match the domain names with the IP address[12].
- Angler Phishing: Cyber criminals use social media to trick people by applying fake URLSs, cloned websites, posts, instant messaging to persuade victims to disclose sensitive information or download malware. For example, cyber attackers access victims when they make a complaint online to an organization directly on social media. They pretend to be the organization and request for personal information.[13]
Other forms of social engineering tactics include Baiting, Honey pot, Scareware, and Pretexting.[14]
Best Practices to prevent social engineering attacks
- Use multifactor authentication to ensure personal accounts are protected against compromise.
- Be cautious of tempting offers and think before accepting them, especially when they seem too good to be true.
- Update your anti-virus and anti-malware software to prevent and protect against infections[15].
- Train employees about social engineering attacks, the tactics used by cyber attackers, and how to identify it[16].
- Avoid oversharing on the internet that could give hackers access to sensitive data.
In conclusion, it is important to note that individuals such as end users, tech support staff, employees etc., are usually considered the weakness link from a security point of view because humans are vulnerable due to their unforeseeable decision making and susceptible to social engineering[17]. Hence, they have to be cautious at all times.
[1] Jones Todd , ‘The 12 Latest Types of Social Engineering Attacks (2022) ‘ (Aura, 25 March 2022) <https://www.aura.com/learn/types-of-social-engineering-attacks> accessed 5 September 2022
[2] Samsung , ‘Important Notice Regarding Customer Information’ (Samsung , 2nd September 2022) <https://www.samsung.com/us/support/securityresponsecenter/ > accessed 5th September 2022
[3] Ravie Lakshmanan, ‘Samsung Admits Data Breach that Exposed Details of Some US Customers’ (The Hackers News , 3rd September 2022) <https://thehackernews.com/2022/09/samsung-admits-data-breach-that-exposed.html?&web_view=true> accessed 5th September 2022
[4] Andrew Orr , ‘Samsung hack in July 2022 led to customer data theft’ (Apple Inside , 2 September 2022) <https://appleinsider.com/articles/22/09/02/samsung-hack-in-july-2022-led-to-customer-data-theft> accessed 6th September 2022
[5] Brooks Chuck, ‘Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know’ (Forbes , 3 June 2022) <https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=1277154b7864> accessed 5th September 2022
[6] Ibid
[7] Kaspersky, ‘What is Social Engineering? ‘ (Kaspersky, N/A) <https://www.kaspersky.com/resource-center/definitions/what-is-social-engineering> accessed 5th September 2022
[8] Ibid.
[9] Ibid
[10] Techtarget contributor, ‘Vishing (voice or VoIP phishing)’ (Tech Target , 2008) <https://www.techtarget.com/searchunifiedcommunications/definition/vishing> accessed 5 September 2022
[11] Irwin Luke , ‘The 5 most common types of phishing attack’ (IT Governance , 24th March 2022) <https://www.itgovernance.eu/blog/en/the-5-most-common-types-of-phishing-attack> accessed 6th September 2022
[12] IT Governance, ‘What is Social Engineering? | Techniques & Prevention’ (IT Governance , N/A) <https://www.itgovernance.co.uk/social-engineering-attacks> accessed 6th September 2022
[13] Ibid
[14]Imperva, ‘Social Engineering’ (Imperva, 2022) <https://www.imperva.com/learn/application-security/social-engineering-attack/> accessed 6th September 2022
[15] Ibid.
[16] Imperva, ‘What are the most common forms of Social Engineering?’ (Incognia, 2022) <https://www.incognia.com/the-authentication-reference/what-is-the-most-common-form-of-social-engineering> accessed 6th September 2022
[17] Stephen M.W. , ‘Understanding the weakest link principle of IT security’ (TechGenix, March 26, 2021 ) <https://techgenix.com/weakest-link-principle-of-it-security/> accessed 7 September 2022