Traditionally, social engineering is a trick often used by conmen, thieves, and other malicious actors. Designed to catch the victim off-guard and unaware, primarily for the actor’s personal gain, much of today’s social engineering scams take place exclusively online. This leaves many organizational leaders asking their IT departments the same question: How are organizations at risk from social engineering?
Taking a Modern Approach to Social Engineering
Modern problems require modern solutions. Since malicious computer users have adapted traditional social engineering tricks to serve their online hacking needs, the solution requires a proactive, innovative, and evolving approach to IT security.
Adopting security measures and fostering awareness of social engineering attacks requires first answering the following questions:
- What is social engineering, and how does it apply online?
- Social engineering is the art of what three things?
- What is the most common form of social engineering?
- How are organizations at risk from social engineering?
- What can organizations do to protect themselves from social engineering?
Social Engineering as an Art Form
Any hacker will tell you that social engineering is a form of art. Today’s hackers and social engineers have a variety of tactics at their disposal, but they all involve a combination of three primary elements:
- Deception – Deception is meant to directly trick you into believing an attacker’s legitimacy or something that is blatantly false. A hacker might try to deceive you or your team by posing as:
- A member of your organization’s IT staff
- Your organization’s CEO (or another position of authority)
- An external organization or agency with authority in some matter (e.g., the Internal Revenue Service (IRS), a bank, a healthcare or insurance provider)
- Influence – Some hackers and social engineers try to influence you or your staff into taking an action that they wouldn’t otherwise perform. This is often done under the guise of verifying your personal information or an organization’s sensitive data. In reality, they’re relying on you to provide them with this data in the first place.
- For example, by using deception to disguise themselves as your CEO, a hacker might use the influence they now have to talk you into disclosing sensitive data (e.g., an organization’s account numbers).
- Manipulation – While some social engineering attacks attempt to gain victims’ trust, others seek to cause distress as a means of convincing them to divulge sensitive data. When victims suffer from a state of distress, they are less likely to scrutinize a social engineering attack for indications of illegitimacy. Attackers may try to cause emotional turmoil by posing as:
- An IRS representative investigating personal tax information and threatening an audit
- A financial institution presenting an issue regarding deceased relatives’ accounts
- A friend or relative who needs money for a personal situation (e.g., automotive accident, arrest)
Common Forms of Social Engineering
Malicious actors have numerous strategies to choose from when it comes to social engineering. With new methods devised continuously and older strategies adapting to security developments, social engineering attacks pose significant threats to all organizations.
However, some forms of social engineering are far more common than others. These social engineering examples are often utilized by novice hackers, making them easier to detect. Other times, they’re employed by experienced social engineers as part of a larger, more complex scheme.
Phishing is the most common form of social engineering seen on the internet today. One of the reasons for phishing’s prevalence—and that of social engineering attacks in general—is that attackers can send out innumerable attempts and only require a very small percentage of success.
Phishing attacks can be launched through nearly any avenue of communication, including:
- Traditional mail (snail mail)
- SMS text messaging
- Voice communications via landline telephone or mobile device
- Social media messaging
Phishing attempts can occur whenever and wherever you receive messages. This makes it a highly valuable and versatile tool in any hacker’s toolbox. Although they can take various forms, many phishing attacks follow a similar playbook. Most are designed to steal confidential or sensitive information, including:
- Usernames and passwords
- Bank account numbers
- Social Security numbers
- Credit card information
Once the information has been obtained, the end results are left up to the whims of the hacker. Some might want to log into a system to look around or download confidential documents. Others will actively try to open up new lines of credit or commit other types of fraud with your personal details.
An evolved form of phishing, spear phishing attacks are perpetrated against specific targets. Whereas general phishing attacks are sent out randomly to increase the hacker’s odds of finding a victim, spear phishing attacks are initiated after the target has been thoroughly researched.
The precise nature of spear phishing attacks makes them especially useful for malicious actors targeting authority positions (e.g., C-level) or service disruptions.
While it’s not nearly as common as general phishing attacks, CEO fraud is common enough that it warrants a distinct category. In this scenario, your employees first receive communications—usually in the form of an email—from someone pretending to be the organization’s CEO.
Whereas spear phishing may target a CEO, this type of attack relies on the fraudulent impersonation of the CEO.
The intent behind these attacks differs from hacker to hacker. In some cases, they ask you to verify your login credentials for the organization’s network. Other times, they might ask for your assistance in completing a wire transfer of funds. Regardless of their cover, these scenarios all end with the hacker committing an offense.
Pretext scams are amongst the most advanced and complicated social engineering examples. However, it’s another traditional form of social engineering that has recently been converted and upgraded for online usage.
As the name suggests, a pretext scam, also known as pretexting, involves a fictional story—or pretext—in an attempt to gain more information on their victim. Most pretexting attacks are also perpetrated after the hacker has already uncovered some amount of information.
For example, a hacker might already possess a user’s login name. If they can convince that individual to disclose their password via a pretexting scam, they’ll have everything they need to log into their account.
Social Media Profile Impersonation
The most popular social media sites block and remove billions of fake accounts every year. While these accounts significantly contribute to data pollution, many have other, much more sinister purposes.
If you’re active on any of the top social media sites, you’ve probably already witnessed profile impersonation in some form or another.
Although some social media profile impersonation cases are harmless, and some are even done jokingly, others can be downright devastating to a user’s career, finances, or personal life.
Quid Pro Quo Scams
Born from the Latin phrase meaning “something for something,” these social engineering scams work by offering a reward or service in exchange for information or cooperation. Of course, the victim never receives the reward, but many hackers have had success with this tactic.
As a social engineering example, a hacker might send a fraudulent email to one of your employees. While it’s disguised to look like it came from your organization’s IT department, and it’s meant to look like the victim is communicating directly with your IT staff, they’re actually corresponding with a hacker or other malicious actor on the other end.
Some hackers prefer to bait their victims with the promise of a hot discount, free software, or other rewards. When the victim claims their discount or downloads their free software, their system is immediately infected with a virus, malware, or ransomware.
It’s a common trick that plays on the victim’s desire to gain something for free. Unfortunately, since most of us love freebies, it’s also a trick that tends to have a high success rate.
Thankfully, you can mitigate most baiting attempts via instituting a policy and security measures disallowing unapproved software downloads. Additionally, you can remind your staff members of the old adage: “If it’s too good to be true, it probably is.”
Understanding How Organizations Are at Risk from Social Engineering
Generally speaking, good employees fall for social engineering scams because of some common reasons.
- The best employees tend to be friendly and helpful by nature
- They often trust those who present themselves in a professional manner
- Today’s workplaces are often fast-paced and busy, especially remote environments
- Modern technology is confusing for many employees
- It can sometimes take hours, days, or weeks to verify someone’s identity with supervisors
Since it’s difficult to fault an employee with good intentions, education is often your best defense against social engineering. While your IT staff requires more training than your other employees, it’s still critical that you emphasize the importance of IT security awareness for your entire staff.
The Basics of IT Security Awareness
A comprehensive IT security awareness program involves several facets, but they all begin by providing a basic education that covers the fundamentals of modern IT security:
- Never share your password or other login details with anyone.
- Never open email attachments unless they are from a trusted source.
- Before entering any personal details into a website, verify that you are using a secure protocol.
- Avoid posting personal information on social media, including your place of employment.
- Don’t accept friend requests or invitations from suspicious or unknown profiles.
Depending on your organization’s work environment, some of these are more applicable than others. Localized teams that are all using a private network, for example, won’t have to worry much about social media hackers. However, with remote and BYOD (i.e., “bring-your-own-device”) environments, a user’s personal computing habits could have negative consequences for your entire network.
Specific threats that influence security policy and implementations are usually determined during the initial risk assessment phases organizations should conduct, so you probably already have a good idea of the social engineering attacks you must prevent.
How to Protect Your Organization from Social Engineering
Protecting your organization from social engineering is a difficult task. Individual employees are your first line of defense against hackers and external threats, but you can’t rely on them alone. Instead, your organization needs multi-layered defenses to enhance its cybersecurity.
These layers include:
- Antivirus and firewall protection – For best results, install this software on all user devices and local servers. You want to put as many obstacles as possible in between your internal network and hackers without making things too difficult or slow for your authorized users.
- Multifactor authentication (MFA) – Safeguard user logins by requiring multiple forms of authentication during the login process. Many systems use traditional password authentication alongside a randomly generated code, often delivered via dedicated applications, email, or SMS. Bypassing MFA requires access to a full set of login credentials (i.e., username and password) and access to the second form of authentication.
- Comprehensive identity and access management – Control user access, set authorization levels, and monitor day-to-day activities with identity and access management (IAM).
- End-to-end data encryption – Modern data encryption is impossible to crack without the decryption key. If hackers do access your data, they won’t be able to view it without the key. Although there are different levels of encryption, most are sufficient enough to keep hackers in the dark.
- Data backup and recovery planning – Never leave anything to chance. You need to be prepared in case something does happen, so make sure you have an active data backup and recovery plan in place before disaster strikes.
- Best practices and security training – Establish a list of best practices for your staff to follow. Requiring them to report any suspicious incidents to the IT department, for example, is a great starting point. Implementing a regular security awareness training program will help personnel better identify indications of suspicious activity. For example, a phishing training program will simulate actual attacks to educate employees.
- Compliance – Once your security controls are in place and your policies have been established, it’s time to enforce compliance. Depending on your industry, you might need to maintain compliance with other laws and regulations, like HIPAA.
By implementing a full-scale IT security framework, hackers and other malicious actors will have to defeat multiple protocols and safety controls before gaining access to your network. This alone is enough to cause most hackers to look for another, easier target elsewhere.
Overcoming Modern Social Engineering Tactics
How are organizations at risk from social engineering? The risk stems from social engineering attacks’ prevalence, effectiveness, and the lack of cybersecurity measures for people’s inherent inclination to trust.
Understanding these points achieves the first step in preventing attacks. While your security team may be responsible for implementing, configuring, and maintaining controls, dedicated security training will better equip all of your employees.
If your organization has been the target of modern social engineering tactics, or if you want to bolster your security to safeguard against such threats in the future, contact RSI Security today for more information.