Social Engineering Attacks: Raising Awareness to Increase Resilience

This month, there has been several reports of large companies being affected by threats to their cyber security.  

InterContinental Hotels Group PLC (which manages Holiday Inn, Crown Plaza, and Regent hotels) confirmed that they had been hit by a cyber-attack on 6 September. Hackers managed to access the company’s databases by social engineering their way into an employee’s account and accessing a weak and easy-to-guess password: ‘Qwerty1234’, which had been sent to all employees to access the servers. The pair, under the moniker ‘TeaPea’, had originally intended to hold the information to ransom, however the company’s IT team were able to isolate servers, so the hackers decided to perform a ‘wiper attack’ instead.

A wiper attack is a class of malware which is intended to irreversibly erase (hence the name ‘wiper’) or destroy data. The tactic is usually deployed after the true goal of a cyber-attack has been achieved, but in this case, the hackers decided to carry out the attack “for fun” and out of frustration of not being able to complete the original ransomware threat.  

The attack managed to render parts of the company’s customer-facing websites inoperable, causing disruptions for online bookings, and whilst no client data was stolen during this time, internal email records and corporate data had been compromised. 

In another incident, video game publisher, Rockstar Games, faced a similar attack on 18 September, when a ­hacker managed to gain access to the company’s Slack servers (a messaging app for businesses) and retrieve footage for their newest project, before leaking the data to online forums.

The hacker, a teenager who goes by the username ‘teapotuberhacker’, is also reported to have been responsible for the cyber-attack on Uber within the same week. The hacker bombarded an employee with false two-factor authentication requests (a technique known as ‘multi-factor authentication fatigue’) until the victim accidentally accepted the request, giving the attacker access to several other employee accounts, including Slack and other messaging tools. The hacker has since been arrested but there is no telling how much damage has been caused to both companies following the breaches.

Increasing Cyber Awareness

What these cyber-attacks have in common is that in all three occasions, social engineering played a part. In these cases, the victims unintentionally gave away sensitive information, leaving their systems exposed to hackers.  

It is not just large companies that need to be aware of threats to their cyber security. Small businesses are at greater risk to social engineering attacks, with spear-phishing (an attack which targets specific individuals to gain access to important accounts) being the most common form of social engineering used to target employees.   

It is easy for smaller firms to fall into the trap of complacency, assuming that they are too insignificant to be a target and hoping that they will easily ‘pass under the radar’ of cyber criminals. The reality is that all companies, no matter how big or small, or what industry they work under, are vulnerable to cyber-attacks, which makes it all the more important that firms invest in sufficient measures to boost their resilience.

Hackers are relying more on social engineering and “human error” in lieu of ‘traditional’ methods like spam or malware, which means that even the most effective email filtering software cannot provide adequate protection. Employees should be sufficiently trained to recognise cyber risks so that they are aware of the signs to look out for.

Measures to improve password protection and phishing-resistant authentication factors should also be implemented to deter cyber-criminals. IHG’s systems were also left vulnerable to hackers because their password was easy to guess (not to mention it has also made the list of most common password several years in a row), which was all it took for the criminals to access what they needed.

Remember, a cyber-attack can have a devastating effect on your business, causing significant financial, legal, and reputational damage. Do not assume that you are an unlikely target.

Users of the Development Zone can access a range of curated modules covering Cyber Risks and Data Security through our Content Catalogue. For those not currently using the system, you can find out more and request a free 14-day trial here:

About the author

Jessica joined RWA in 2018, having graduated with a First Class Honours degree in Film Studies. Her role as a content designer involves developing new and engaging e-learning modules as well as assisting in the creation of articles for Insight. 

Get RWA Insight In Your Inbox

Regular business news and commentary delivered direct to your inbox each week. Sign up here