There’s a phenomenon plaguing all workers today, but in particular software engineers: social engineering. It’s the act of deceiving individuals and sophisticatedly manipulating them into sharing confidential information or allowing unauthorized access to applications and data.
While any workforce user can become a target of a social engineering attack, software engineers are among the most targeted. According to Elevate research, since April 2022, social engineering attacks on engineers have increased 142%! We’ve seen confirmation of this targeting in recent headlines as recent cyberattacks on major organizations have been carried out via social engineering attacks on engineers.
Why attack engineers and developers? Gaining access to application code gives attackers maximum leverage and the ability to inject backdoors for long-term persistence.
But, the real question is, why are social engineering attacks so effective? How are these attacks executed and why? What do hackers look for in a victim that makes software engineers a hot target? In this article, we’re diving into social engineering attacks and sharing why it’s on both security teams and engineering managers to look for solutions to better protect their team, their company’s source code, their clients, and the organization as a whole.
Social Engineering Attacks: Defined
According to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches involve the human element. And social engineering hackers exploit this vulnerability. Social engineering attacks focus on human interactions with the goal of influencing workforce users to break security protocol and essentially give up unfettered access to a company’s systems, networks, and/or source code.
These attacks are highly sophisticated and strategically thought out. Social engineering hackers are similar to stalkers in that they will dig deep into an individual’s online presence to find a way into their personal network. They research social media accounts, company websites, online forums, and any other form of personal data they can find on the internet. Equipped with knowledge of an individual’s personal life, including their job role, company they work for, likes and dislikes, threat actors can trick the person into releasing sensitive information about the company they work for.
Example of a Social Engineering Attack
Consider this example. Through social engineering tactics, hackers find a newly hired engineer. They leverage readily available dark web tools to bombard the engineer With phony authentication requests.
The attacker then pretends to be a member of the IT team, texting the user, “Hey, all those requests you’re declining are from us in IT. We had an issue with your account that we need to urgently troubleshoot. Please accept the request or we’ll have to escalate to Paul Brower.”(The boss?) They know fear of shame is a powerful motivator, especially for newer workers. And once hackers have this access, there’s no telling what they won’t do.
Recent Real-Life Social Engineering Attacks on Engineers
Recently, there has been a rise in social engineering attacks targeting engineers at major corporations. Elevate research shows that for the month of August 2022, engineers were targeted 6.8x more often than non-engineers. And within the past few months, enterprises including a ride share app, a password manager platform, and a video game publisher have all been victimized by social engineering attacks.
If these social engineering attacks are impacting major corporations and large enterprises, your organization could be at risk as well.
Criteria Hackers Look For in a Target Victim
According to TechTarget, “social engineering is a popular tactic among attackers because it is often easier to exploit people than it is to find a network or software vulnerability.” But why is this the case? We’ve worked diligently to determine what criteria hackers look for in their victims. Here’s what we’ve found:
- Hackers value data and look for folks who have direct access to proprietary data, including source code (A.K.A. engineers)
- Social engineering attack victims typically have a higher risk level and are more susceptible to being attacked
- Threat actors target individuals they can gather a lot of information about through social media and other means on the internet
- Hackers will target new employees who may not be fully familiar with their company’s security protocols
- Some attackers may leverage malware scams to bait and trap victims
When cybercriminals start going after your people instead of your cyber perimeter, it’s time to look for cybersecurity solutions that protect your people.
With social engineering attacks growing even more sophisticated over time, security teams are searching for the best fit technologies to prevent these attacks. And now, as engineers are becoming the top target for social engineering attacks, engineering managers are on the hunt for an effective solution as well.
Since engineers (and other workforce users) are being tricked and victimized by threat actors, organizations need a way to understand and mitigate user risk at an individual level. In our latest eBook, we detail how you can identify and respond proactively to your organization’s highest risk users to prevent social engineering attacks (among others) from affecting your engineers and your organization. Check it out!