EXECUTIVE SUMMARY:

In a social engineering attack, a cyber attacker leverages his/her social skills in order to obtain confidential information. This information may pertain to an individual or to an organization.

Social engineering is a challenging area of cyber crime to disrupt, as social engineering can take numerous forms and primarily occurs due to human error or coercion.

What is the best countermeasure against social engineering?

Very broadly, one of the best counter measures in regards to social engineering involves educating your employees about what it is, why it’s hazardous, and how to avoid social engineers. There are multiple ways in which to educate employees. Consider providing your employees with information about:

Social media-based engineering. Several significant cyber security breaches have occurred within large institutions due to scams curated through social media.

Because personal social media accounts are owned and operated by employees, managing the information that people share is next to impossible. However, you can provide information about the genuine dangers associated with oversharing information. You can also provide insights concerning tell-tale red flags indicating scams.

Top pieces of information that employees should avoid sharing on social media include: Location, a work email address, credentials, upcoming vacation dates, phone numbers and physical addresses.

Smishing. The objectives of smishing attacks vary (credential theft, data acquisition, malware deployment), but the end-goal typically involves breaching a business’s digital borders. As trite as a text message may seem, someone who falls for this type of attack can inadvertently induce business losses.

To avoid smishing, employees can use a VPN, conduct a web search of both the phone number associated with the message and the web content, and verify the authenticity of messages that appear to come from a colleague, but that perhaps sound syntactically “off”.

Tailgating. Tailgating is a simple social engineering attack that allows criminals to gain access to off-limits physical locations. It involves closely following an authorized person into a restricted access area.

In some cases, a tailgater will look like an ordinary employee (dressed professionally) and will claim to have temporarily misplaced a key card. Or the tailgater will smile and indicate that the authentic employee walking through the building’s door should hold it for him/her. In other cases, a tailgater will pose as a construction worker, a postal carrier, or another service provider.

Inform employees about the possibility of tailgating attacks. Encourage employees to remain vigilant and to adhere to security best practices. Let employees know that they can always inquire with the physical security team if a suspicious person appears on the premises.

Emotional manipulation. Cyber criminals –both in-person and online– commonly get employees to comply with their requests through the use of emotional manipulation.

One group of hackers managed to convince employees to transfer $18.6 million on behalf of an urgent and “highly confidential” project, allegedly authorized by the firm’s CEO. Without a sense of urgency and fear, the employees might have reappraised the situation.

Remind employees that hackers not only leverage urgency and fear-based messages to ensure efficient compliance with requests. They also rely on greed, curiosity, and altruism. If employees receive emails, calls or texts that trigger intense emotions and a sense of “must act now,” they could be targets of a social engineering attack.

Social engineering awareness training

Training should include every employee in an organization; from the highest-ranking executives to the lowest level employees. Anyone can fall victim to a cleverly crafted social engineering attack.

Offering annual training represents a step in the right direction. However, it will not serve organizations as well as year-round security training.

Regardless of which programs you implement and their frequency, be sure to measure knowledge acquisition and to leverage the insights to inform future programming.

In closing

What is the best countermeasure against social engineering? Employee education and awareness. For more employee education and awareness resources, please see the following:

Further, be sure get more comprehensive information about social engineering from Check Point Software’s resource page. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.