If you work in IT or cyber security, chances are you’re familiar with social engineering and the threat it poses. Regardless, maybe you’ve heard whispers of it starting to circulate, that this is the growing cyber threat on the horizon.
Social engineering attacks are now on the rise. Move over, ransomware. There’s a new sheriff bad boy in town. Today we’ll cover the question of what is social engineering, examples of social engineering and ten methods you can implement to protect yourself from social engineering attacks. First things first:
What is Social Engineering?
Social engineering is the act of manipulating people into giving up confidential data. These attackers aim to take advantage of human nature in order to access private information. What does this mean? Social engineers will pose as a person of trust — such as a friend, relative or coworker. Then they use that position to trick you into opening an email, clicking a link or accepting a download. (We’ll provide some examples of social engineering below).
It’s easier to exploit our instinct to trust, than it is for attackers to try and hack into a system. If they can fool you into giving away your credentials, that’s an easy pay day for them with less effort. You can see the appeal for these individuals.
Social engineering itself is not necessarily a new concept, but techniques have become more sophisticated and personalised. We’ve all received a dodgy email from a known contact but they’ve always been very easy to identify. You don’t expect to receive “CLICK HERE FOR XXX” from your Grandma Jean in your inbox, right? So the attacks were easy to avoid. But they’re less obvious now. How so?
Examples of Social Engineering
Let’s take a look at some examples of social engineering and how it might look (give or take some details). Understanding what social engineering attacks may look like will help you to recognise and identify such attacks at a glance. As a result, you’re less likely to fall victim to one.
You are aware of phishing as a hacking technique, of course. These are usually non-specific in their target, and the attacker will cast a ‘wider net’ so to speak. This means that even if only 1% are successful, they’ve hit say 100 out of 10,000 individuals. That’s still a success. Spear phishing is a targeted version of phishing. Attackers target a specific individual or organisation with a much more detailed phishing email which leads to a higher chance of success.
This scam looks like an email from what appears to be your boss urgently requesting a financial transfer to be made. Perhaps he’s just requesting some reports or files — containing confidential information — and it looks legitimate so you don’t question it. In 2016, Snapchat fell for exactly this scam with an HR employee handing over payroll information to the “CEO”.
A trusted friend sends you an email containing a malicious link or download for you to click. These could be disguised as photos they want to ‘share’ with you, or a link to their site/Facebook/whatever to entice you to click and bam. You’ve been socially engineered. Of all our examples of social engineering, this one may come across as the laziest.
The Cry For Help
Your ‘friend’ or ‘cousin’ or whomever it may be writes to you that they are in urgent need of your help! They were mugged in Spain or *insert sob story here* and they need you to send $x to their account. The pretext will vary: so they can pay for their hospital bill/passport fees/insert other relevant cost here. Spoiler alert: your friend is not really in danger, and the funds are going to a social engineer attacker.
The Mysterious Lottery
Congratulations! You won a lottery that you don’t even recall entering! Or maybe you’ve suddenly inherited millions from a long-lost relative. It’s a dream come true! But remember, if it’s too good to be true, then it probably is. These social engineering attacks tend to be more random and less personalised. However, they definitely fall into the same category as they prey on your sense of greed.
The Account Suspension
This is one that is always difficult to dismiss. You get an email that your account has been suspended or compromised and you need to verify your information or reset your password. These emails can be extremely convincing, with identical formatting to the real deal. If you’re ever unsure, the best thing to do is to open the site and account in your browser independently. You will immediately be able to see any account-related shenanigans. Just make sure you don’t click the link embedded in the email!
Busted and Blackmailed
This is one that has been making the rounds, with some success. A convincing email arrives in your inbox stating that you’ve been busted watching pornography. Now they are threatening to reveal a video of your activity to your contacts. How is it convincing? Firstly, the email will usually contain a real password that you have used at some point (likely obtained through a previous data leak available online). Secondly, they will detail the method they used to “hack” into your system — this makes it seem more legitimate. They will make a demand for money in exchange for not sharing the damning video. Breathe easy, it’s all a bluff. You can check if your password is in a leaked database through Have I Been Pwned.
The Dream Job Offer
If you hear from a LinkedIn recruiter offering you a dream job with unbelievable salary and benefits… you could be extremely lucky. But the more likely scenario, is that sorry, there is no job and no amazing salary. There are a lot of recruiters out there headhunting for the perfect candidate, and it may not be out of the ordinary to receive such an inquiry. However, just be wary of the source and don’t reveal any confidential information or click any links.
There are more examples of social engineering we could dig into, but these are the most common social engineering attacks around. So how do you protect your business from any one of these examples of social engineering? Read on.
Protect Your Business From Social Engineering Attacks
A lot of cyber attack prevention boils down to many of the same tools and steps. It’s about reducing your exposure, being aware of vulnerabilities and utilising tools to increase your protection. Having said that, social engineering attacks can be a little different as they do rely on the human factor, and ultimately there’s not much that an anti-malware program or firewall can do to stop you from giving away the goods.
Keep in mind that many examples of social engineering will try to bypass your security system completely. But there’s a number of steps you can implement within your business to reduce your risk of social engineering attacks, and we’ll run through them with you to ensure your business is on the right path.
1. Cyber Security Policies
Cyber security policies may sound incredibly boring and tedious, but they are crucial to protecting your business and your employees. Although, be warned, it’s not enough to just create the policies — they need to be well-understood and enforced. Don’t stick it in the back of the employee manual that no one ever reads. Keep the policy clear, visible and regularly reinforce the policy with your staff to ensure that it all becomes habit.Having a solid cyber security policy will do a few things to help prevent social engineering attacks: it means individuals are less likely to click on phishing links, or give out credentials online. It reduces the chance of malicious files being accidentally downloaded onto the system. Also, having high-level email spam rules and policies can filter out many social engineering attacks from the get-go as they fail to pass filters.
2. Mobile Device Management
Mobile device management is protection for your business and for employees utilising a mobile device. Especially when they are using a personal device for work purposes, and not a company-issued one. Mobile device management tools enable you to implement policies that control company data, passwords, sharing restrictions and more. Hopefully you’re starting to see the benefit in this context! Even if an employee falls victim to one of the above social engineering attacks, you can control what data can be accessed and shared.In the case of the email from the boss, maybe Janet in accounts thinks she needs to send a copy of payroll information to Bob the CEO. Mobile device management ensures that Janet isn’t able to share those documents or even copy the information within based on your restrictive rules designed for just this purpose.
3. Multi-Factor Authentication
We always come back to this one, because honestly, if you don’t have it implemented by now, then you’re well behind the pack. Multi-factor authentication ensures that account security is not defined by just one factor (the password). Passwords are important, sure, but as we’ve come to realise, they are insufficient on their own. Why? It’s far too easy for someone else to get access to your password, and therefore access to your accounts. Whether that password is accessed via social engineering, or because Janet wrote it on a post-it next to her computer (dammit Janet!), the result is the same: unauthorised access.Multi-factor authentication ensures that the password is not the master key to any given account. An additional verification will be required which could be anything from a security question, to a one-time generated code, or even biometrics such as fingerprints or facial recognition.
4. Regular Backups
Time to rag on Janet a little more. She defied all policies and logic, and failed to engage the slightest bit of suspicion or common sense. She clicked the link that Bob The Fake CEO sent her and now the company has been infected with a virus hell-bent on destroying everything.But… thank goodness you followed Stanfield IT’s sensible protection policies and scheduled regular backups for your data. You’re able to revert the system back to its original state, change all passwords and update policies as required. And give Janet a stern talking to. (If any Janet is reading this, we’re so sorry).
5. Password Management
This should be integrated into your cyber security policies, but it’s worth covering as a separate point. Good password management is incredibly important. I know we just said that passwords are not the be-all-end-all but that doesn’t mean you can get away with password1234 on all your accounts (you’d be surprised how many people use exactly that).Good password management means doing a few things: creating a strong password (random, multiple cases, characters and pass phrases are all excellent), it means never using the same password more than once, use a secure password manager to keep track of all your logins, and change passwords at scheduled intervals (for example every 3-6 months).
6. Security Awareness Training For Employees
As mentioned above, it’s not enough to just stick a cyber security policy in the back of the manual and call it a day. Employees need to be able to take charge of cyber security, understand where attacks can come from and what they can do to avoid it. Essentially, you want these procedures and protocols to become like second-nature to your staff.If your staff feel that they have ownership of cyber security and attack prevention, they are far more likely to follow cyber security protocols and your risk of social engineering attacks will be far reduced. Stanfield IT has a webinar on employee cyber security available here, and we can offer a training seminar for your team if you want something more personalised.
7. Encrypting Emails and Data
Ensuring that all your emails, data and communication is encrypted ensures that even if an attacker intercepts your data in transit, they aren’t able to view or access the included information. Their ‘payload’ is useless, as they can’t use any of the information contained within.This can be achieved by utilising a VPN within your business, which will encrypt data transmitted between you and any websites, protecting you from prying eyes!
8. Keep Software/OS Up to Date
This is a simple, yet critical step that shouldn’t be overlooked. It’s so easy to put off those updates as they always seem due at the most inconvenient times — but those updates reduce vulnerabilities and keep your system secure.Rolling out patches across a large network can be time-consuming, but knowing which software has critical vulnerabilities and which updates are more urgent can help you to prioritise and manage the task. Of course, employing an external team to manage your IT services will be a big boon in this instance, so it’s not something you need to fret about.
9. Define Roles and Verify Identities
If you have a workplace where everyone does a bit of this and a bit of that, it’s hard to know where to draw the line in terms of who can access what. Defining roles within the business means that everyone has a clear cut understanding of what they can and should access at any given time. This cuts down on successful social engineering attacks as individuals know that George (let’s give Janet a break) isn’t permitted access to the employee database he’s suddenly requesting — so that will raise a red flag immediately.
Furthermore, having a system of identity verification internally will help to reduce this risk as well. It may be that any time certain requests are made, or certain information is being accessed — employees are required to answer a security question, or provide a pre-determined passphrase. Social engineers often do their research on their targets and can be very convincing in their assumed identities, so having a method of verification provides that extra security.
10. Utilise Next-Gen Firewall and Anti-Virus
You are probably already using a firewall and anti-virus software within your business, but next-gen firewall technology (NGFW) is designed to provide maximum security in ways that previous incarnations didn’t. Traditional anti-virus and firewall software doesn’t have the sophisticated techniques and knowledge required to truly protect your system against modern attacks.Although social engineering attacks rely on human mistakes, a good NGFW will alert you to any attempted malware installations, and prevent any potential infiltration.
Reviewing the examples of social engineering above, it’s clear that social engineering targets a huge part of human nature: curiosity and our desire to help. It’s in our nature to be curious; we want to know the thing! A Google study showed that 48% of individuals who picked up a random stray USB drive then plugged it into their computers. This is beyond risky! Moreso, we want to help our fellow humans. Well, most of us do anyway. Social engineering attacks exploit this fact — this is why so many of the examples of social engineering are framed around a request for assistance from either coworkers, or friends — these are people we tend to trust.
Social engineering has been around forever of course, it’s not a new hacking technique. However, they have grown more sophisticated in recent years — and with social media now so mainstream, it’s easier than ever for these attackers to collate relevant information in order to present a convincing identity. According to a study by KnowBe4, a whopping 98% target users via social engineering rather than through a technical flaw.
Overall, these steps won’t prevent social engineering attempts on your business — these hackers will just keep on trying. But keep the examples of social engineering in mind, and learn to recognise them so that if such an attempt comes your way, you’re already on the defence and less likely to fall victim.
If you would like to find out more please contact the team at Stanfield IT to discuss.