Social engineering is a tactic employed by threat actors into manipulating targeted end-users into giving the threat actors what they want. Their goals can range from receiving information, to downloading malware onto targets’ devices, or stealing valuable data and money. Rather than relying on advanced technological tactics, social engineering–as the name might imply–works by socially persuading end users to achieve the attacker’s goals.
What Is Social Engineering?
Specifically pertaining to the realm of security and cybersecurity, social engineering is the act of employing psychological tactics in order to manipulate end targets (in this case, an organization’s users) in order to get them to hand over valuable information, data, or money, or to get them to perform a certain action. Social engineering almost always consists of threat actors hiding their identities and posing as trusted figures–either real or invented–in order to achieve these goals.
So, what does that mean in practice?
While most threat actors rely on tech to infiltrate company networks, social engineering capitalizes on human error. Human error is essentially when users commit honest mistakes, not out of malice but from a lapse in judgment, tiredness, being overworked, or too busy to take a second look at something. These moments of human error can result in a user either giving out sensitive data or making a bogus payment without thinking enough about it. Socially engineered scams can also be mass produced (such as phishing emails), creating a larger chance of the scam finding some successful.
Put simply, if an email-based attack dupes a computer it’s a technological based attack. If it dupes a person, it’s a socially engineered attack. Socially engineered attacks can often be more efficient and successful in opening up a doorway into your network for threats actors to take advantage of. With a user permitting access to the network, the attacker can bypass traditional security tools. But what do socially engineered threats look like?
Types Of Socially Engineered Attacks
Social engineering comes in a wide range of developing forms, all which can pose a serious threat to your business.
Phishing Attacks
In Cisco’s 2021 Cybersecurity threat trends report, they revealed that 86% of companies worldwide had a case of a user falling prey to a phishing scam. Roughly 60% of companies that had experienced a phishing scam had lost data. Phishing relies heavily on the tactic of impersonation. Impersonation, at its simplest level, is a person pretending to be someone they’re not for some type of gain. Essentially, a threat actor will pose as a trusted figure or company in order to persuade a user they are a valid account, and that they should share sensitive data. This can be done by purchasing similar email domains (hotnail instead of hotmail, and so on), creating fake companies, and so on.
Here are the different kinds of phishing scams that companies see:
Phishing
In this instance, an attacker will send a fraudulent email message, going to great lengths to convince the recipient that the email is genuine and from a trusted source. The goal is to trick the recipient into either downloading malware or other harmful code by clicking fake URL links or downloading malicious files, trick them into handing over valuable data, information, or sending money.
Phishing can have variety of forms, including business email compromise (BEC) where a business email account is either overtaken or impersonated. Spear phishing is a more finely targeted approach, often focusing on a particular organization or a specific individual within that organization. Whaling, a highly targeted version of phishing which focuses specifically on high-ranking employees such as those in the C-suite or other executive positions, in order to steal large sums of money or highly sensitive information. Whaling attacks, out of the three, tend to be the most sophisticated due to the level of security that privileged accounts have.
Vishing
One of the newer attacks on the scene is vishing – otherwise named as voice phishing. Vishing is when a threat actor makes phone calls or leaving voice messages, where they impersonate a reputable company or a specific individual from a particular business. The attacker will then try to get the user to hand over personal or company information. This is most commonly used to target members of the public into giving over banking information. There have, however, been reports of vishing happening in the business world as well.
A simple example would be someone posing as an employee, calling the help desk for login credentials as they had “forgotten” theirs. When the help desk user resets the account, the attacker can gain access. In some cases, a voice deepfake was used to scam a CEO out of 243,000. While this vishing-based whaling attack might have been the first of its kind, rest assured, it won’t be the last.
Smishing
In the same vein as phishing and vishing, smishing is impersonation attacks done through SMS text messages. Threat actors often pose as a representative or as an automated message from a reputable company, in order to get the recipient to reveal personal information (such as passwords, credit card information, or bank account information) or to click on a malicious link sent along with the SMS message.
In a lot of these cases, great lengths will be taken by threat actors to make it appear as if the message in question is legitimate. This might entail buying domains that have similar appearing names at first glance but are ever so slightly different upon inspection – think Gooogle with three o’s instead of Google. Their success lies in the assumption that recipients won’t inspect the sender information too closely.
Phishing-based social engineering relies on creating a sense of urgency. Often, targeted employees will be contacted with strong tones of urgency within the message, they will be told to “act now” in order to protect their account. This will get the recipient to panic and act without thinking or without going through the regular channels to perform a task quickly. For example, someone from the C-suite, asking for a payment that has to be done immediately while they’re away at a conference. Due to this message, seemingly, coming from someone in charge, there is no need for the end-user to question this. The attacker will ask for this to be done quickly and discreetly as it’s important the payment is handled fast.
Other Types Of Social Engineering Attack
Baiting
In cases of baiting, attackers will leave a physical device (such as a hard drive or USB) in a conspicuous place where it is sure to be found. It might even be labelled something innocuous, so an unsuspecting user will pick it up and insert it into their device to find out what it is and who it belongs to. The device will have harmful code, such as malware or ransomware, on the device, and once inserted into a computer it will install this code and begin to affect the company network.
Tailgating
It’s often been said that you can go far with confidence and the right outfit. This also applies to social engineering. Tailgating is a tactic that is worryingly becoming more frequent, though is still uncommon. Tailgating is essentially a threat actor physically entering the building of a target company in order to gain access to information and data on the premises by physically accessing the company’s network. Tailgating can be achieved by employees holding open a door for the threat actors, assuming they work there, or the threat actor convincing admin desk workers that they have just forgotten their pass that particular day.
Tailgating presents a lot of questions about what we consider our security borders to look like and how we need to treat the network as not just a virtual concept but a physical one as well.
Quid Pro Quo
In a similar vein to vishing, this attack involves a threat attacker pretending to offer something of value (a service or product), in exchange for information, data, or assistance from a target individual. This tactic is used to make targets believe they are getting something in return for providing what has been asked, such as a hacker pretending to help a user with a tech issue by posing as someone from the admin team in order to get the user to unwittingly install malware or ransomware.
Scareware
This tactic relies on tricking a victim into thinking their device is infected or they have downloaded something harmful. The attacker will offer a way of fixing the issue that grants them access to the network or enables them to install malware on your device. A common version of this attack is users being told that they have downloaded something illegal to their computer and need to pay a fee or download something else in order to remediate the issue. Scaring the individual often gets them to panic and act without thinking.
Watering Hole
Particularly savvy attackers can, over time, identify particular websites that a certain group of people within an organization tend to visit. The attacker would, in this case, infect this collection of popular and specific websites with harmful code or inserting links with the intention of these users mistaking harmful code on the website as legitimate and clicking on it, thereby granting the threat actor access to the company network.
How To Prevent Social Engineering
So how do you safeguard against what is, by and large, employees committing genuine and honest mistakes? Fortunately, there are a range of steps your business can take in order to prevent or minimize breaches and subsequent data or financial loss from socially engineered threats.
It wasn’t until recently that socially engineered threats could be potentially prevented using technological means. Socially engineered threats were once thought of as being impossible for security tools to scan for, but the tide is turning. Now, there’s more software built into your email security tools that use machine learning and artificial intelligence to detect, remediate, and restrict instances of social engineering.
Secure Email Gateways
Secure email gateways (SEGs) are a critical component of your email security infrastructure. At a base level, they act as a firewall for email communication. They can enforce pre-set and configured policies as to what emails and content can enter or leave the email server. It works by scanning all inbound and outbound emails to prevent anything malicious from reaching your users’ email inboxes or from anything sensitive leaving the network when it shouldn’t.
They play a very crucial role in spam filtering and can protect businesses from gray mail, viruses, malware, and more. They can offer advanced protection from socially engineered attacks like phishing and BEC (business email compromise) attacks. SEGs scan the contents of all emails (inbound, outbound, and internal), including attachments and URLs, for anything that can be deemed harmful or malicious. Anything that is flagged with the SEG can either be immediately blocked or quarantined for sandboxing and further analysis. Some SEGs also perform time-of-click URL analysis – this checks a URL at the time it is accessed, meaning that a site cannot become infected after it has been classed as “safe” by the SEG. URLs can be checked with lists to see if there is a match with a trusted domain or if it looks too similar to an existing domain – and might be trying to fool users.
Read our guide to the top 10 secure email gateways here.
Anti-Phishing Solutions
Secure email gateways, as with all cybersecurity solutions, are not 100% perfect. They act as a basic firewall that is designed to filter out spam and some other inbound threats. The security it offers is quite basic and works best when used in conjunction with other email security measures. One such measure is anti-phishing tools.
Anti-phishing tools can go a step further and detect if an inbound email has come from a spoofed domain or has a spoofed header. Spoofing is a technical process that masks an email’s origin information to convince recipients it came from a different location. As mentioned above, attackers will go to great lengths to make an email appear as legitimate and from a legitimate source. This can be anything from creating lookalike graphics, finding a real individual within the company to impersonate, or spoofing the company’s email domain name so, at first glance, it appears legitimate.
Anti-phishing solutions can help to flag and notify users if an email like this appears in their inbox, using machine learning and artificial intelligence to scan domains, IP packets, and more. If anything has been spoofed or impersonated, it can be flagged – the AI may check whether the domain name matches an existing trusted domain that users have already interacted. If an email has come from a location that doesn’t match its purported origin, the solution can block the incoming mail and flag it with an admin team. This prevents the email from reaching the user’s inbox and thus preventing any chance of them falling prey to social engineering.
Read our guide to the top 10 phishing protection solutions.
Managing Users Online Presences
You can learn a lot from the internet these days. If you’re particularly savvy and know where to look, you can learn a lot about specific individuals. Our lives have become more connected and more open than ever before thanks to social media. That is not, necessarily, a good thing. It’s unethical to ask your employees to restrict what they post on their personal social media accounts but making sure your employees post limited information about their work on their socials–including LinkedIn–is a good way to prevent threat actors from building up credible stories or being able to steal information about particular users in order to impersonate them.
Multi-Factor Authentication
Multi-factor authentication (MFA) provides an extra layer of defense at the point of sign-in for your users. By cross-referencing at least two authentication methods, you can prevent socially engineered attacks and chances for impersonation (as well as plethora of other cybersecurity issues). MFA can also ensure that an attacker cannot gain access to an email account in your network, then use this as a platform for phishing attacks.
Multi-factor authentication requires your users to confirm their identity in another way, in addition to traditional passwords and usernames. Users will also be prompted to supply other information, like a one-time password, biometric information, or an answer to a question only they know. It’s an easy, inexpensive way of having your users confirm they really are who they say they are–and not a threat actor impersonating them and taking over their account.
Read our article here on the top 11 multi-factor authentication (MFA) solutions for business.
Next-Generation Firewalls
Threat actors might create fake websites to encourage users to either click and download harmful code, enter login credentials and other sensitive information, or unwittingly make fraudulent payments. Spoofed domains and websites can be highly sophisticated, with plenty of time, money, and effort on the attackers’ behalf to make the websites appear legitimate. Beyond lapses in judgment and users feeling pressured, sometimes even the trained eye can’t differentiate between a malicious fake website and the real thing.
The solution? Next-generation firewalls (NGFW). These are advanced, cloud-based firewalls that go one step beyond your traditional, stateful firewalls by offering more robust security features. Traditional firewalls provide stateful inspection of all network traffic, greenlighting or blocking traffic based on ports, protocols, and states. They filter traffic based on predetermined rules and policies.
Next-generation firewalls, on the other hand, contain a number of security features that protect your business from instances of website-based social engineering attacks, including deep packet inspection, sandboxing, intrusion prevention capabilities, and leverages threat intelligence feeds. It can also perform the standard firewall capabilities such as stateful inspection, provide intrusion prevention measures, block risky applications and websites, alert and prevent users from downloading anything harmful from the website, and alert users that parts of the website they are navigating may be unsafe. Another added benefit is that it will also alert admins to any attempts to install malware on user devices.
Read our guide to the top 11 network firewalls.
Browser Isolation Tools
The web can be like the wild west. It’s not always safe, and even if it looks reputable, not every website is trustworthy. Banning every website that may or may not contain harmful code, is not, however, the answer. This could have a negative impact on your users’ productivity–especially if internet browsing is a key component of their work.
This is where browser isolation tools are invaluable. Browser isolation (sometimes known as web isolation) essentially isolates a user’s internet browsing session from their device and their company network, protecting the user and the network from any harmful code that may be embedded on the website or ready to automatically download itself onto the user’s device.
The browser isolation tool will quarantine and sandbox a user’s browsing session, so that it is isolated from network. This means that a fake website won’t be able to download and run any harmful code that may be hidden in its pages. Browser isolation can protect devices from threats like malware, ransomware, zero-day exploits, browser vulnerabilities, and infected file downloads that can occur from a user mistaking a website for something that is benign and legitimate. This is particularly useful in curbing instances of watering hole attacks.
Compare the top 10 browser isolation solutions with our buyers’ guide.
Security Awareness Training
Security awareness training (SAT) is a specialized form of education for workforces, designed to educate employees on cybersecurity issues. It is essentially a cybersecurity training program, deployed by a company’s admin team, that educates and trains users on a series of potential risks and dangers, and explains their role in mitigating these. One of the big takeaways from security awareness training is how to appropriately respond to and deal with instances of social engineering.
The exact problem with socially engineered attacks is, often, they slip past any security measures already in place. They don’t have anomalous code or content that could be flagged with security tools and processes. This means that the last line of defense between your company and a data breach is your employees. As such, employees should be properly trained on how to deal with these situations. SAT teaches employees the tell-tale signs of social engineering – what to look for, to be suspicious of any tones of urgency or someone asking for things without clearance, as well as unknown or unsolicited files and links. The goal is to get users to think critically about what comes through their inboxes, so when a phishing email does appear, they’re prepared to deal with it effectively.
Traditionally, legacy SAT programs focused solely on email and web borne threats. However, the business world, and how it communicates, has changed a lot since these programs were first made. Now, we use a plethora of communication and work collaboration tools to converse with clients, customers, and colleagues. Text messages, video calls, WhatsApp, Slack, SharePoint, and OneDrive are just a few examples of business tools that are used daily. Each of these presents a new opportunity for threat actors to take advantage of.
For more on security awareness training – what it is, how it works, what features to look for when choosing a SAT provider, and what you should ask when demoing solutions – check out our blog here:
Ten Questions To Ask When Choosing A Security Awareness Training (SAT) Solution.
Simulating Social Engineering Attacks
After putting your employees through security awareness training, the next step in holistically safeguarding your business from socially engineered attacks is to reinforce and strengthen this knowledge through phishing simulations.
Phishing simulations are essentially practical training exercises that are often designed to go hand in hand with a company’s chosen security awareness training program. In the simulation, fake phishing messages are sent to your users to check if they can recognize tell-tale features, and if they respond in the appropriate way. Usually, simulations will be part of the SAT itself. Phishing simulations cab be configured to be deployed immediately after your employees have finished their training. In sum, where SAT gives users tools, simulations help them practice with these tools in a safe environment.
It’s worth noting that while a lot of SAT solutions come with phishing simulations as part of the package, not all of them do. When shopping around for a SAT program that suits your business, it’s important to make sure that it comes with a phishing simulation attached. It’s better to opt for a cohesive, integrated platform that offers both. It makes tracking your users’ progress and training modules easier in the long run, as well as being easier to manage the platform and having lower costs than having to pay for two separate programs to run.
Read our guide to the top 10 phishing simulation solutions.
Summary
Social engineering is a difficult issue to tackle, as it subverts the traditional phishing methods that we’re all used to. Technology is advancing all the time, and security tools are getting more adept at spotting instances of social engineering by leveraging machine learning and artificial intelligence. But we’re not 100% secure yet. However, with appropriate training for your employees and the right tools in place, you can mitigate the impact socially engineered attacks can have on your company. For something that relies on human error and sidestepping traditional security measures, tackling social engineering needs a holistic and versatile approach.
Through combining security awareness training, phishing and socially engineered attack simulations, and advanced AI-powered security tools, companies can take a step towards successfully mitigating and preventing the devastating impact social engineering can have on their networks and businesses.
