EXECUTIVE SUMMARY:

Social engineering is one of the most significant and difficult network security challenges to contend with. Due to the discreet nature of social engineering, attacks can occur without anyone in your organization recognizing that anything deceitful has occurred at all.

Employees still fall for social engineering scams on a regular basis. This endangers your organization, as the scams commonly deploy ransomware or otherwise infect networks with malicious code.

For cyber attackers, social engineering does not require any investment beyond the cost of sending an email or a phone call. Social engineering is cost effective and it involves minimal risk, hence the allure. Will social engineering fraudsters fool your workforce?

Key statistics

• Organizations face upwards of 700 social engineering attacks annually.
• Reported business email compromise and email account compromise attacks resulted in nearly $2.4 billion in adjusted losses during 2021.
• Tool kits that cyber criminals use to execute social engineering attacks cost as little as $10.00.

Easy-to-miss social engineering red flags

1. Email red flags. Even the savviest of employees is susceptible to email-based social engineering due to the sheer sophistication of contemporary threats. There are numerous types of email-based social engineering red flags. Below are several common ones that your employees should be on the lookout for:

Email text red flags. Employees often know about the possibility of clicking on a malicious link. However, a many people ignore the best practices and click on links if they look legitimate and seem logical. For example:

An email to a facilities staff member that appears to appropriately provide a notification about the corporate Amazon.com account, and that includes the fake domain ‘login-amazon-account[.]com’, may get clicked on.

Email sender red flags. Employees may miss social engineering red flags pertaining to an email sender. For example:

The sender’s email address may say ‘[email protected]’. An unsuspecting individual may miss the fact that the letter ‘m’ in the web address above has actually been replaced with the letters ‘r’ and ‘n,’ giving the illusion that the email is from a reputable source.

Email attachment red flags. While employees commonly know to treat unsolicited attachments with suspicion and caution, the reality doesn’t align with intent. A cyber attacker impersonating an important individual and providing a long-awaited legal document could still easily deceive an unsuspecting employee.

2. Phone-based red flags. Your employees probably know better than to divulge a password to someone who requests it via email. But will they think twice if Aaron from the IT department places a call, calmly and reassuringly explaining that the IT team would like to verify the security of a given employee’s accounts, and that to do so, they’ll need the employee’s account information?

Cyber criminals are also cloning human voices to facilitate fraud. Theoretically, cyber criminals could clone the voices of upper-level management. In a particularly egregious example of AI-based social engineering, several years ago, cyber criminals managed to steal $35 million in one elaborate phone-based voice clone swindle.

Social engineering red flags: Prevention

Don’t leave your employees to fend off masters of manipulation by themselves…

While preventing social engineering attacks is a complex undertaking, a multi-pronged approach can dramatically reduce the chance that your enterprise will encounter a successful social engineering stunt. Explore these foundational steps to pursue:

1. Promote employee awareness. Every employee should know about the reality and dangers of social engineering. Provide corresponding training. Within the training, inform employees about how real-world social engineering stunts can unfold and give sophisticated examples.

2. Develop strong policies and procedures that are designed to prevent social engineering. For instance, organizations should teach employees about expectations around handling sensitive information. Your organization may also wish to provide employees with guidelines around social media and what to avoid posting publicly.

3. Consider equipping employees with scripts for certain situations; such as suspicious callers. You might also consider offering employees a list of “hot button questions” to listen for in suspicious conversations. Request for employees to keep the list within easy reach of their regular workspace.

4. Leverage the principle of ‘least privilege’ and ensure that employees only have access to the resources that they need in order to carry out job functions. Thus, in the event that a lower-level employee accidentally provides credentials to a social engineer, the social engineer won’t be able to access information beyond a certain level of clearance.

5. Maintain an incident response plan. In the event of a social engineering attack, you want to have a well-defined incident response plan on-hand. Your plan should include information about how to investigate, contain and mitigate issues stemming from social engineering.

6. Engage in regular security testing. Ensure that your social engineering prevention approach is effective. Leverage a variety of advanced methodologies to identify security posture weaknesses.

Further thoughts 

For every organization, social engineering represents one of the most pernicious and under-discussed threats in information security.

Develop a winning social engineering prevention strategy that includes education, policy development security controls and more. In addition, ensure that you stay abreast of the latest social engineering trends and industry solutions.

For more information about preventing social engineering attempts and social engineering red flags, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, the latest best practices, expert analyses and outstanding interviews in your inbox each week, please sign up for the CyberTalk.org newsletter.