Threats posed to Personal Data by Social Engineering

by Richard Hall Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7483 407825

The advent of the GDPR means that organisations will need to make increased efforts to deal with specific threats and this includes those posed by social engineering attacks.

This blog explores the different types of social engineering attacks and what you can do to assist in reducing those risks as part of your compliance efforts.

What is Social Engineering in the context of Data Security?

Social engineering or “Human Hacking” is the process of taking advantage of human vulnerabilities to gain access to systems, finances and/ or data.

It can be done in person, over the phone, via email or by a range of other techniques. The one common denominator is that the techniques used are designed to take advantage of the human vulnerabilities in security systems and controls. Social engineering attacks such as phishing and pre-texting are some of the most common cyber-attacks used on organisations and individuals alike.

Social engineering is not a new phenomenon. One of the more infamous hackers, Kevin Mitnick, did an interview back in 2002 where he stated that he found it was “easier to manipulate people rather than technology” and that most organisations overlook the human element1. Unfortunately, despite the passage of time and the improvements in technology we do not appear to be much further along in combating this threat.

Types of Social Engineering Attacks

In order to properly evaluate the risks posed to personal data and implement effective controls and organisational measures to protect personal data, organisations must first understand the different threats to their data security and how those threats can be reduced. Some of the better known examples of social engineering attacks that you may already be aware of include but are not limited to:

Phishing is the fraudulent attempt to obtain sensitive information form individuals using electronic communications such as email, text or instant messaging platforms, with phishers often disguising themselves as a credible and trustworth entity.
Spear-phishing is simply a version of phishing in which, rather than casting a wide net, individuals, groups or organisations are targeted specifically by the phisher.
Vishing is very similar to phishing, however it takes place over the phone rather than through written electronic communications.  An example would include a visher calling and pretending to be from your bank and asking for your details.
Pre-texting is a form of Social Engineering which can take place either by electronic communications or in person, however pre-texting attacks most often take place via email.  The attacker focuses on creating a good pre-text or scenario in order to trick their victim to hand over information.
Baiting is very similar to phishing, however what sets it apart is the offer of a reward or prize to bait the intended victim to click on a link or download malicious software.
Whaling in a cyber-security context is an example of spear-phishing where attacks are focused towards specific high value targets.  The intention may be to target the person with the highest level access to certain systems or someone who holds power within an organisation in order to allow the phisher to leverage that power to get what they want.

Reducing the threat of Social Engineering

In an ideal world, technology would be used to mitigate all of the risks caused by humans, by restricting and controlling what they can do through systems and tools. When utilised properly there are some beneficial tools and systems that can be implemented to introduce greater control and minimise human error. However until we can get to a point where technology can be used to fully remove the risk caused by people in the process we must tackle the risks posed by social engineering with a mixture of the technological controls available, robust training and awareness programmes, regular risk assessments and active threat management.

The likelihood of a social engineering attack being successful is escalated when tools such as mail filters and access controls are not properly configured and when individuals are not aware of the risks or how to deal with them; this can be due to a number of factors, but usually comes down to insufficient employee awareness and/ or training.

Good configuration can result in a higher volume of malicious communications being diverted away from their intended targets within an organisation and when matched with good training and awareness regimes, clear policies and procedure, organisations can significantly reduce the risk of a personal data breach arising from social engineering techniques. When an organisation combines this with good threat intelligence to stay on top of the newest threat types and regular risks assessments to inform their decision making and threat response, they will not only be in a good place to deal with the threats posed by social engineering attack, they will also be better placed to respond to attacks if and when they do occur.

How can we help?

At PwC we adopt a multidisciplinary approach to helping clients tackle the challenges of regulatory compliance and data protection, helping with all aspects of preventative security, including threat vulnerability assessments, development of security strategies and design of key security functions and mechanisms. Importantly we can also help if things go wrong with our Personal Data Breach Management services. For further information please visit our website.

1 Kevin Mitnick, “How to Hack People” BBC, 2002

by Richard Hall Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7483 407825