MGM Resorts, a $34 billion casino and hotel empire, recently suffered a major systems issue that left slot machines, room keys, and other critical devices inoperable. Surprisingly, the attackers revealed that all it took to breach this giant organization was a ten-minute phone call. It appears that the hackers utilized a social engineering attack, one of the most common and low-tech methods of intrusion. Social engineering involves manipulating a target, either psychologically or through deception, to obtain sensitive information or carry out actions that benefit the attacker. These attacks can range from taking down global corporations to devastating the personal finances of individual victims.
So why are social engineering attacks so effective, and why are they difficult to prevent? The answer lies in the attackers’ ability to deceive and trick individuals into feeling comfortable enough to reveal sensitive information. Attackers use various techniques to build trust, gather personal information to create a sense of familiarity, or create a sense of urgency that compels individuals to act quickly without considering the potential risks. Researcher Erik Huffman, who studies the psychology behind cybersecurity trends, explains that individuals who are extroverted, agreeable, and open to new experiences are more susceptible to these attacks. Fear and helpfulness are often exploited as attack vectors because the more comfortable individuals are, the more vulnerable they become.
Moreover, digital environments lack the social cues present in face-to-face interactions, making it harder for potential victims to pick up on suspicious signs. In digital interactions, individuals tend to read messages in their own voice, projecting their own goodwill onto them. This projection doesn’t typically happen in person because social cues and body language provide additional information that can trigger gut feelings about something being off. Therefore, social engineering attacks can be as simple as a fraudulent phone call from a scammer seeking credit card information or as complex as layered attacks combining multiple deceptive approaches.
According to Sophos X-Ops principal researcher Andrew Brandt, around 98% of cyberattacks rely to some extent on social engineering tactics. Victims often encounter simple attacks, such as receiving a text from someone posing as their boss asking for gift cards or falling for phishing emails with malicious links. However, there are instances, like the MGM Resorts attack, where attackers devise intricate schemes involving various stages of deception to breach organizations.
Brandt suggests several warning signs to identify potential attacks, such as receiving an unusually large file, a password-protected zip file that cannot be scanned for malware, or a suspicious shortcut file. However, a significant part of detecting these attacks relies on individuals’ instincts and their ability to pause and consider the potential risks before taking action. Brandt emphasizes the need for individuals to practice reflexively distrusting unfamiliar individuals and their messages repeatedly to build a habit of skepticism.
Huffman recommends that individuals acknowledge the limitations of digital environments and ask critical questions before trusting or providing sensitive information. Questions like whether it makes sense for the person to reach out, if they exhibit trustworthy behavior, if they possess the authority or power to give directions, and if they genuinely understand the subject being discussed can help in avoiding falling victim to social engineering attacks.
Social engineering attacks are constantly happening to various corporations and individuals. Although it may be tempting to stop being nice altogether for safety’s sake, the key lies in striking a balance between social instincts and healthy skepticism. One can still be helpful, but caution is necessary. Being aware of the vulnerabilities that good-natured traits present when faced with malicious actors can empower individuals to protect themselves and their organizations from social engineering attacks.