Social engineering is a dangerous and increasingly popular attack vector, but businesses are still ignoring the threat.
“The risk is heavy,” said renowned social engineering expert Chris Hadnagy, who goes by the alias loganWHD and HumanHacker.
“Too many companies are falling victim to social engineering attacks and doing very little to protect against it… [Social engineering] is used in everyday life and the bad guys are using it even more each day in each attack.”
Hadnagy said a single trusting individual with sufficient access credentials is enough to make an attack successful.
“If my goal is company-wide domination then a larger company has more people, more attack surface and a larger chance of failure,” Hadnagy said. “Yet people are so trusting that even small companies or individuals will be at risk.”
The effectiveness of social media attacks is on show at dozens of hacker conferences each year which often prove that big budgets do not equate to good security.
One of the world’s largest beverage giants was the first to fall at a recent US social engineering challenge, after an Australian contestant swindled enough information from the company’s IT help desk to access its corporate network.
“Unfortunately, unless there is a large shift in the way the higher-ups think, [the risk of attack] will not change. What we need is for companies to stop waiting until after there is a breach in order to make penetration testing a priority.”
Annual, full black box audits are the best way for organisations to combat the risk of attack, Hadnagy said. Education and strong policy also help, but he said “these are time intensive fixes that need constant care”.
Hadnagy has worked in the IT industry for more than a decade and is focused on social engineering and physical penetration testing.