Published 05-30-24
Human beings are inherently social creatures, which can be both a blessing and a curse, especially in the world of cybersecurity and identity crime. Understanding the intricacies of social engineering attacks is paramount in comprehending their threat to businesses. These attacks exploit human vulnerabilities by tailoring strategies to target specific demographics or personality types, utilizing personal, social, and cultural information.
Through an exploration of a prominent case involving MGM Resorts and discussions on defense strategies, we can begin to see the critical need for innovative solutions like Photolok in safeguarding against such threats.
In the context of security, social engineering describes a method of tailoring an attack to target a specific demographic or personality type using information gathered about their personal, social, and cultural habits and expectations. According to Carnegie Mellon University, social engineering attacks rely on “manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information.” This is considered a form of psychological manipulation and usually occurs in a four-step cycle:
Social engineering attacks rely heavily on our personal expectations and a sense of urgency. For example, suppose you receive an email that is ostensibly from your bank. In that case, you’re less likely to check its validity if they’re threatening to close your account and take legal action if you don’t confirm your identity with them or if they tell you that your information’s been compromised and this is the only way to save yourself thousands of dollars in losses.
The most common form of social engineering attack is phishing, when an attacker duplicates or “spoofs” an official form or website and directs targets to it with a duplicated or “spoofed” message “alerting” them to a problem with or update to their account. The spoofed site looks just like the login screen for the actual business or organization but will always result in an error after the information is submitted rather than allowing access to the appropriate site. It will also send that information directly to the attacker, who can then use it to access the legitimate site.
In September of 2023, the Las Vegas giant MGM Resorts faced a major cyberattack that brought down large portions of their casinos and put all of the guests and staff of the resort’s multiple locations in danger. UK news outlet The Daily Mail said of the attack that “the main website for MGM Resorts remained down on Wednesday [September 13] morning, following a ‘cybersecurity incident’ the company says impacted reservations and casino floors in Nevada and seven other states.”
Potentially the most embarrassing part of the breach is that the attack reportedly occurred via a 10-minute phone conversation using one employee’s stolen information gathered using social engineering techniques. According to some reports, a member of the attacking group looked up the employee on LinkedIn and called the company’s Help Desk posing as them to gain control of the account. Once they were inside the system, they were free to instigate a massive ransomware attack.
This massive attack lasted 10 days and cost the company an estimated $100 million in lost revenue, which doesn’t even account for the cost of rebuilding its cybersecurity infrastructure. The breach affected around 10.6 million people, whose information from names and payment methods to addresses and account numbers was leaked.
The biggest challenge to assess when it comes to social engineering attacks is the human element; it’s difficult to circumvent an attack if you’re not sure it’s happening. In the case of vishing (phishing attempts conducted via phone call or voicemail), unless a service representative is familiar with the voices of all employees, it would be nearly impossible to prevent impersonations from a recognition standpoint alone.
Because of this, it’s best to incorporate layers of protection in all methods of access; service representatives should use multiple pieces of information such as a password, pin, or other verification method to confirm identities. It would also be best to include multi-factor authentication (MFA) in most if not all access points for information, making it more difficult for attackers to access all of the information they need.
Photolok is a service that offers a novel approach to thwart phishing attempts. Unlike conventional MFA methods reliant on security questions or email verification, Photolok uses a photo-based authentication system; users designate specific photo images as “keys” to their accounts. When attempting to access the service, users are prompted to select their “photo” from a grid. Access is granted only upon choosing the correct photo.
The strength of Photolok lies in the fact that it does not rely on easily compromised numerical codes, security question responses, or passwords vulnerable to phishing attempts. By utilizing unique photos, Photolok drastically raises the bar for attackers attempting to guess or phish access credentials, particularly given the absence of direct access to Photolok’s internal bank of photo options.
Photolok also integrates advanced features engineered to combat AI and machine learning-driven attacks, which gives the system stronger adaptability to evolving threats than traditional MFA. Additional options in the system, such as labeling photos for one-time use and activating alerts for administrators in the event of forced entry via “Duress” photo selection, further fortify security measures, particularly in public and remote work environments.
You can learn more about Photolok and how it can protect your company from social engineering attacks by contacting the sales team.
The Rise of Steganography Bots and AI: Strategic Analysis for 2025
Executive Summary The cybersecurity landscape has undergone a fundamental transformation as artifici[...more]
Photolok vs Recaptcha for AI Attacks
Cyber attacks are becoming more advanced and frequent as machine learning and artificial intelligenc[...more]
Understanding the Impact on MFA and SSO Implementations
Multi-factor authentication (MFA) and Single Sign-On (SSO) can often act as a vital bulwark against [...more]
Passkeys vs. Traditional Passwords in Cybersecurity
Passwords have long been the bedrock of digital security, but their limitations are increasingly evi[...more]
Understanding the Difference Between Physical and Behavioral Biometrics in Authentication
In our digital age, data security has become absolutely essential. We have more online accounts than[...more]
Human-Centered Design in Cybersecurity
Today, effective cybersecurity is more critical than ever. Organizations and individuals everywhere [...more]
How Photolok Defends Against Deepfakes: Innovative Security for the AI Era
Imagine receiving an urgent video call from your CEO. On the call, your CEO appears panicked and ask[...more]
OpenID Connect: The Ultimate Guide to Secure Authentication for Modern Web and Mobile Apps
Published 08-19-24 For many online users, managing digital identities securely and efficiently has b[...more]
Social Engineering and Its Impact on Cybersecurity
According to tech giant IBM, social engineering includes “attacks [that] manipulate people in[...more]