How to Protect Your Business Assets and Revenue from Cybercriminals

In today's digital landscape, cybercrime has become a mounting concern for businesses. Staying vigilant is now more crucial than ever to shield against the increasing threats.

Annually, cybercriminals manage to siphon $6 trillion from the global economy, a sum that's three times the value of Africa's entire economy.

One of the most prevalent methods employed by cybercriminals today is through the art of social engineering, because at the end of the day computers don't hack you, people do.

Social engineering attacks are the primary cybersecurity threat to individuals and organisations in Africa today. According to data, 91% of cyberattacks on individuals and 52% of successful cyberattacks on organisations in Africa are social engineering attacks, which are mostly phishing attempts. In Q2 2023, African organisations experienced the highest average number of cyberattacks per week per organisation. This was a 23% increase in comparison to Q2 2022, which means that individuals and organisations are facing more cyber threats now than before. 

Additionally, the 2023 phishing report by KnowBe4 reports that 33% of corporate employees in the African region are vulnerable to social engineering scams, most notably phishing attacks. This calls for introspection on the cybersecurity measures to secure our world from malicious actors. This post seeks to increase your cybersecurity awareness by helping you understand social engineering and how to shield your business from it. 

What is Social Engineering?


Social engineering, also known as human hacking, refers to malicious actions carried out by hackers to manipulate, influence, and deceive unsuspecting individuals into releasing control of their systems or giving away sensitive information. These hackers manipulate their victims psychologically and exploit their human weaknesses to compromise their personal or organisation’s security. Some examples of this include phishing, CEO fraud, and spear phishing. Understanding social engineering and how it works is crucial to the overall cybersecurity awareness of your organisation. Both are in fact, two sides of the same coin.   

A social engineering attack can happen in several steps, which start with investigating the potential victims to find out background information, like potential entry points for the attack. Then the perpetrators proceed to win the victim’s trust or provide them with a stimuli for them to take actions that will breach security and grant access to the perpetrators.  Social engineering has proven to be a potent tool in the hands of hackers because it doesn’t require operating system and software vulnerabilities, but rather relies on human errors, which are less predictable and more difficult to identify. 

How Social Engineering Attacks Work 

The 4 stages in the image above are the main stages of a social engineering attack:

1. Investigation (Information Gathering)
This is the first phase of the attack, where the attackers identify their victims and gather the necessary information for a successful attack on them. It’s the phase in which attackers spend most time because it largely determines the success of their social engineering attack. With the right level of information about their potential victim, these hackers can determine the attack method, the target’s possible passwords, and likely responses, etc. They become familiar with the target before moving on to the next phase. 

2. Hook (Establishing Relationship)
In this phase, the attackers engage the target and establish a relationship or rapport with them. This is also crucial to their work because the quality of this relationship will determine how much the target cooperates and helps the attackers achieve their goal. They tend to take control of the interaction and psychologically manipulate their targets by sharing stories, and family pictures, and connecting with them personally. Sometimes they do this physically or connect with their targets with fake profiles on social media platforms, dating sites, etc. 

3. Play (Exploitation) 
At this phase, the attacker actively infiltrates their victim with the information they’ve gathered in the first and second phases. Here they expand their foothold with the victim, attacking them saliently but actively, while maintaining the relationship from the previous phase and avoiding raising suspicion. Exploitation happens when targets divulge seemingly unimportant information to the attacker or grant access that is otherwise restricted because of trust. Some examples of exploitation are:

- Disclosing username and password
- Introducing the social engineer to other company colleagues
- Discussing organisation's trade secrets in conversation with a “friend”
- Opening a malicious email attachment

4. Exit (Execution)
This is the final stage of social engineering in which the attacker ends the process in a manner that doesn’t raise suspicion, mostly after achieving their goal. Most times, the victim doesn’t suspect anything when the attack ends. Instead, the attacker tries to make the victim feel good about their interactions, leaving room for future interactions. The attacker also covers their tracks by removing every trace of malware, or digital footprint. They make sure to leave no information behind, allowing them to remain anonymous after they’ve executed an attack.

What is Phishing?

Phishing refers to a fraudulent act in which the hacker poses as a reputable person or entity via email or other forms of communication to distribute malicious attachments and links to extract an organisation's information from the victim/employee. It is the most prominent social engineering method used to scam organisations in Africa. According to a Kaspersky report released in August 2022, it detected 10,722, 886 phishing attacks across three countries (Kenya, South Africa, and Nigeria) in Africa in Q2 2022. Kenya was the most affected with 5,098,534 phishing attacks, followed by South Africa with 4,578,216 phishing attacks, and Nigeria with 1,046,136 phishing attacks. When these attacks are successful, they often lead to ransomware attacks, identity theft, data breaches, credit card fraud, and massive financial losses for corporations. 

These phishing scams work through email campaigns to create curiosity, fear, or a sense of urgency in the victims prodding them to reveal sensitive information, open malware-infested attachments, or click on malicious links. For instance, a targeted employee could receive an email that requires them to take immediate action, like changing passwords or providing account information. This email will include a link to a fake website that looks like the original version, making it hard for victims to suspect. 

How to Prevent Social Engineering Attacks in Your Business

While hackers have used social engineering to devastating effect in recent times, much of their success can be attributed to a lack of cybersecurity awareness within the business/organisation's structure. As effective as these attacks are, they are preventable and avoidable. All it takes is to pay attention to the following: 

1. Cybersecurity Training for Employees
Training your business's staff and employees in the basics of cybersecurity is an effective way to shield your business from a hack like social engineering. A basic human flaw that social engineering takes advantage of is ignorance. Having your employees undergo comprehensive cybersecurity awareness training helps them recognize possible social engineering attacks, and prevent falling into such traps. Adequate training ensures that they know and follow cybersecurity best practices in both online and offline situations, which keeps them and your organisation safe.

2. Social Media Usage Policy to Prevent Employee Oversharing Information Online 
Human hacks only work by information, that’s why the first and most important stage of social engineering is the information-gathering stage. Your business employees can make the work of social engineers easier by their use of social media. By oversharing information about their life online, social media especially, they're giving hackers the arsenal to launch a social engineering attack on them, and your business by extension. In isolation, the information shared may appear inconsequential, like birthdays (or date of birth), pet’s name, primary school, car model, partner’s name, company, position or role,  address, etc. However, when you put them together, in the hands of a social engineer, it makes you easy to hack. So, it's important that your business has a social media usage policy for employees. 

Social media platforms, like Twitter, are easy tools in the hands of social engineers to mine information from potential targets. The image below is one way in which this platform can be used to gather information for social engineering attacks. 

If your employee engages posts like these online, chances are your business is currently being targeted, or worse still, you're a victim already. 

3. Use Strong Passwords and Two-Factor Authentication 
Again, you can make the work of social engineers and hackers easier with passwords like “password,” “12345,” your date of birth, your pet’s name, etc. They can easily guess these passwords from all the information they’ve gathered about you. So, always make sure to use strong passwords. Ideally, you want to use something you can remember easily, but make sure it’s unique, complex, and not easy to guess. A simple way to achieve this is by using longer passwords that combine letters (upper and lower cases), numbers, and symbols. 

You can also add an extra layer of security by using two-factor authentication. This ensures that your identity is verified by more than one security measure (password) upon each login. The second factor could be temporary passcodes via email or text message, or biometrics like facial recognition or fingerprint.

4. Physical Security 
Physical security also plays a crucial part in avoiding getting hacked, especially when you’re in public. For instance, you should always look over your shoulder (shoulder surfing) to be sure no one is spying on you before typing any password in public. 
Your office practices also constitute part of your physical security measures. For instance, you should imbibe a ‘clean desk policy,’ which means you don’t leave sensitive documents lying around your desk or write sensitive information like passwords on sticky notes, etc. Other safe practices include locking your computer when leaving your workstation and proper disposal (via shredding) of official documents. 

5. Activate Data Encryption via SSL Certification 
In situations where hackers are able to get through your employees, data encryption will serve as your company's last line of defence. It prevents the hackers from being able to access your business's communication systems and information. An SSL certificate provides authentication and security for your website, enabling that information is encrypted and unauthorised persons can't gain easy access. 

Conclusion 
Social engineering poses a serious threat in a world where most activities are online and the internet provides a marketplace for businesses to thrive. Hence, ensuring your business and employees have a  strong cybersecurity awareness is non-negotiable in this age. Understanding how social engineering works and how to prevent these attacks keep your business on the safer side of the online world.