Social engineering is one of the most sophisticated – and successful – means by which attackers can gain access to your company’s data. These attacks prey on human error and thrive in times of uncertainty. Between February and March last year, as organizations around the world scrambled to provision their employees to work from home during the first peak of the Coronavirus pandemic, the number of phishing emails spiked by an alarming 667%, according to Barracuda Networks, as attackers made haste in capitalizing on the period of fear and uncertainty.
One year later, as many organizations are beginning to think about whether to send their employees back into their offices or to implement a new, hybrid-remote workplace environment, we can expect to see a similarly dramatic increase in the number of social engineering attempts carried out globally.
There are a lot of different methods of social engineering used by cybercriminals to gain access to your company data. Phishing, vishing, SMiShing, whaling and pharming are some of the most common. They’re also some of the most dangerous. But what’s the difference between these attack methods, and how can you protect your organization against them?
Thankfully, defending your employees (and your corporate data) against social engineering isn’t complicated, and it doesn’t need to be expensive. There are a range of solutions on the market designed to keep your company’s email comms secure, but before we can explore the solutions, you first need to understand the nature of the problem itself.
It’s time to dive into the world of phishing.
Phishing And Spear Phishing
Phishing is one of the most prevalent types of social engineering attack that we see today. According to Proofpoint’s latest State of the Phish report, 75% of organizations around the world experienced a phishing attack in 2020, and 74% of attacks targeting US businesses were successful. But what is phishing, and why do these attacks have such a high success rate?
It all comes down to us: the people behind the screens. Phishing attacks exploit two vulnerabilities in an organization: human error, and our global reliance on email communication. The attacker sends an email to their victim, posing as a trusted source or contact, in order to manipulate them into handing over sensitive data such as financial information or login credentials. They usually do this by encouraging the user to click on a URL that takes them to a fake login page, where they enter their credentials for the attacker, or by convincing the user to download a malicious attachment that installs malware such as a keylogger onto their machine, enabling the attacker to steal data by tracking their keystrokes.
Traditional phishing attempts target hundreds or even thousands of recipients at once. Because of this, the content of the message is impersonal, so attacks can be fairly easy to spot, as the message content won’t always be relevant to the recipient. For example:
People are interacting with your latest LinkedIn post! Click here to view it.
If the recipient of the above message doesn’t have LinkedIn, or hasn’t posted recently, they’ll quickly realise that the message is fraudulent. Because of this, attackers have developed a more sophisticated way of getting what they want from their victims: spear phishing.
Spear phishing attacks target one user at a time. The attacker puts a lot more effort into learning about their victim, including the details of their job role and the people they connect with on a regular basis. This enables the attacker to send a highly personalized email that’s much more difficult to detect. For example:
Hi Alice, I’ve lost the login details for the shared drive. Would you mind sending them over to me when you get a minute? Cheers, Chuck.
Hi Bob, we’ve got an outstanding PO for one of our temps. Could you please fill this in so I can send it back to the agency? Thanks! Mallory.
These types of emails are often sophisticated enough to evade traditional email filtering solutions, and require a multi-layered security architecture to mitigate – including security at the human layer. But we’ll come to that later.
Recent research has shown that 96% of phishing attacks are delivered by email, but it’s important that you’re aware of the other mediums that attackers can utilize to gain access to your organization’s data. This bring us onto vishing and SMiShing.
Vishing, or voice phishing, is a type of phishing attack that involves using a phone to trick victims into handing over sensitive information, rather than an email. In a vishing attack, the bad actor calls their target and uses social engineering tactics to manipulate users into spilling credential or financial information. These tactics often involve invoking a deadline or time limit to create a sense of urgency, or impersonating someone with authority in order to make the user feel like they have no choice but to hand over information.
To make the vishing attempt harder to detect, attackers often use Voice over Internet Protocol (VoIP) features such as caller ID spoofing to disguise their true identities. This means that, where in an email phishing attempt you can check the sender’s email address and domain, in a vishing attempt, you can only base your verification on what the person is saying and the familiarity of their voice.
Vishing is commonly used by attackers trying to gain access to bank accounts, but there have also been examples of attackers using audio deepfakes to carry out vishing attempts targeted at businesses. Deepfakes are fraudulent images, voice clips and videos that look or sound like the real thing. They use a branch of artificial intelligence called “deep learning” to analyze what the source material looks or sounds like, and replicate that onto another image, video or sound bite, making it appear to be an original. In deepfake vishing attacks, the imposter usually poses as a manager or C-level executive and asks their victim to complete an urgent transfer of money or data.
We’ll go through solutions to mitigate vishing attacks later, but for now I’ll give you one piece of advice to share with your employees that could save your organization a staggering 3.86 million dollars (which is the average cost of a data breach): Always contact someone via at least two mediums to confirm their identity before even thinking about sharing any sensitive information with them, and make sure they’re mediums that you’ve used previously to communicate with that person. If you can, ask them a question that only they would know the answer to. If you’re unable to do this, you should confirm with two other people in your organization that the right person is contacting you from the right email address or phone number, as it’s unlikely that the attacker will have managed to compromise multiple accounts.
SMiShing is another type of phishing attack that tricks unsuspecting victims into handing over sensitive information via fraudulent SMS messages. This form of phishing is less common in the corporate world than spear phishing and vishing, but could become more of a threat as we see an increase in the use of bring-your-own-device (BYOD) in work environments.
SMiShing attempts generally follow one of two patterns:
- The attacker encourages their target to open a URL sent in a text. The URL then takes them to a fraudulent credential logging page, or a download page that installs malware onto the user’s device.
- The attacker encourages their target to call a specified number, regarding the content of the message. These calls either result in the attacker requesting sensitive information over the phone, as seen in a vishing attempt, or they’re to a premium rate phone number, causing the user to rack up a hefty phone bill.
When it comes to SMiShing, attackers usually impersonate brands to gain the trust of their victims. According to Check Point, Microsoft is the most impersonated brand globally, with 43% of brand phishing attempts using the Microsoft name, followed by DHL (18%), LinkedIn (6%) and Amazon (5%). With more people now than ever before relying on Microsoft’s suite of cloud applications to create a virtual workplace, it’s easy to see why attackers are exploiting their name.
Whaling is phishing for a more lucrative target. In whaling attempts, attackers deploy spear phishing techniques to target high-profile employees, such as C-level executives, and manipulate them into sending high-value wire transfers to the attacker.
Attackers can carry out whaling attempts as a stand-alone attack, or they can target their “whales” via Business Email Compromise (BEC). BEC or “man-in-the-email” attacks involve a bad actor gaining access to a corporate email account, either by cracking the account owner’s password using brute force, or by using social engineering to steal their credentials. Once inside that account, the attacker impersonates the real account owner and manipulates other members of the organization and its stakeholders into sending them money or sensitive data. BEC attacks take longer to carry out, but they can be more successful when targeting high-profile victims as the email comes from within their organization and is therefore (mistakenly!) considered to be more trustworthy.
Last but not least, we come to pharming, also known as “phishing without a lure” – the lure being the email. Pharming is an advanced form of social engineering in which the attacker creates a fake website, such as a “Microsoft” login portal, and then tricks the DNS server into redirecting their targets to this website. Once they arrive on the page, the target is prompted to enter their credentials or financial information, which are then sent directly to the attacker.
Pharming doesn’t target one person specifically – it simply redirects traffic from a genuine website to a seemingly identical, spoofed page, in order to steal visitors’ information.
An example of this in practice is the huge data breach suffered by British Airways in 2018, which saw hackers steal data from over 500,000 customers between April and September. These customers had logged onto the BA website to make a booking and were unknowingly diverted to a fraudulent site where the attackers harvested their financial information. British Airways’ poor security systems were to blame for the breach and, in accordance with GDPR regulations, the airline was fined 20 million pounds by the Information Commissioner’s Office (ICO): the largest fine the ICO has issued to date.
How Can You Stop Social Engineering Attacks?
The first step in combatting social engineering attacks is in knowing that these attacks exist and understanding how they work. The second step is implementing a strong email security architecture to help prevent your employees from receiving malicious content in the first place, and to encourage them not to open any suspicious messages that do slip through.
There are three main types of solution that will help you to protect your organization’s inboxes: secure email gateways, post-delivery protection platforms, and security awareness training solutions.
Secure Email Gateway
Secure email gateways (SEGs) are a type of software that monitors your employees’ inbound and outbound emails, scanning them for spam, phishing and malware threats. Malicious content is blocked or quarantined so that it never reached its intended victim.
Imagine that your network is a castle. The SEG is the towering stone wall that prevents external threats from reaching the data stored safely inside. But unfortunately, as pop culture has taught us, threats to your kingdom don’t always come from the outside (looking at you, Cersei Lannister). While gateway solutions do a great job at fending off spam and traditional phishing attempts, sophisticated spear phishing attacks can breach even the most advanced SEGs.
To defend your data kingdom against the Lannisters of the cybersecurity world, you need to add another layer of protection that secures user accounts at an individual, internal level.
Post-delivery protection (PDP) solutions sit within your email network and monitor for any malicious content that may have slipped through an SEG. They use artificial intelligence to analyze each employee’s communication patterns, then scan all inbound, outbound and internal communications for anomalies.
If your SEG is the castle wall, your PDP solution is the patrol of soldiers that stand guard within the courtyards and passages. The SEG let in an imposter because they were pretending to be an innocent tradesperson; the PDP solution knows that traders only come on a Saturday.
Security Awareness Training
We’ve already discussed how the first step in defending against social engineering attacks is in knowing that these attacks exist. However, it isn’t enough for you alone to know about them; you also need to educate the rest of your organization.
Security awareness training platforms and dedicated phishing awareness training and simulation programs are designed to transform your employees from security vulnerabilities into a strong line of defense against phishing attacks. They do this by teaching users how to spot the signs of an attack, and how to respond to any suspicious inbox activity.
Awareness training programs combine engaging learning materials, such as infographics, video courses, and quizzes, with simulated phishing attacks, in order to allow users to experience an “attack” first-hand and practice mitigating attacks in a safe environment. If users fail to report the simulation or, worse, click on a malicious link or attachment, they’re directed to a page that makes them aware of their error and shows them how they should have responded.
These solutions also feature a wealth of management and reporting tools, which admins can use to monitor their organization’s state of security as a whole and at an individual level, and assign further training to those who need it.
As for whether training actually works… A recent report from Cofense found that employees who have undergone security awareness training are far more likely to report a suspicious email than those who haven’t, greatly reducing the dwell time of a phishing email. Dwell time is the elapsed time between an attacker gaining access to an environment, the attack being detected, and threat being mitigated. It’s calculated via two metrics: the mean time to detect an attack (MTTD) and the mean time to remediate an attack (MTTR).
When employees have completed a training program, the dwell time of an attack decreases dramatically, because trained employees are much quicker at reporting phishing attempts. According to Cofense’s study, which analyzed the millions of results across their simulated phishing campaigns, 82% of trained employees reported a simulated phish within an hour, 52% reported it within 5 minutes, and 19% within 30 seconds of receiving the simulated attack.
The quicker malicious content is reported, the quicker it’s removed from everyone else’s inboxes, and the less likely another employee is to open it.
Having read this article, you’re one step closer to protecting your organization against phishing attacks than you were five minutes ago. But you’re not quite there yet.
The best way to combat sophisticated social engineering attempts is by implementing a multi-layered security architecture comprising both technical and human-centric solutions – i.e., combining artificial and human intelligence.
There are a lot of products on the market that will help you protect your employees’ inboxes, but it’s important that you find the one that’ll best meet your security needs. We’ve put together guides to the top phishing protection solutions and the top security awareness training platforms to help you get started.