What if I told you that many cyber attacks were largely preventable? Social engineering is not a new phenomenon, yet people in a number of organisation’s continue to fall for them.
This is because they prey on the on the most vulnerable aspect of security – human nature.
Social engineering attacks infiltrate the minds of unsuspecting victims, manipulating them into disclosing valuable information or carrying out actions that can harm their organisation.
In this post, we’ll discuss the world of social engineering and examine real life examples. We’ll then offer 10 actionable steps you can take to fortify your business.
But, first things first:
What is Social Engineering?
Social engineering is a fancy word for manipulation.
Social engineering attackers aim to take advantage of human nature in order to access private information.
What does this mean?
Social engineers want us to feel a certain way. They want to create a sense of:
And they’ll use various social engineering techniques like phishing, pretexting, and baiting to do this.
We all want to help those that we care about, and that’s exactly what attackers are hoping for.
They’ll appeal to the target’s natural tendency to help a friend or family member in need. They want to elicit an emotional reaction.
They want to put the victim in a position where they think now and act later.
After that, they can abuse that position to trick their victim into opening an email, clicking a link, or accepting a download. This download infects the computer.
It’s often easier to exploit our instinct to trust than it is for attackers to try and hack into a system.
If they can fool you into giving away your credentials it’s an easy pay day for them. So, you can see the appeal.
A regular hacker will often look for software vulnerability and cyber security gaps. A social engineer, on the other hand, uses deceit to get an employee to divulge login credentials. For example, they may do this by posing as a tech-support worker.
Social engineering itself is not necessarily a new concept. But techniques have become more sophisticated and personalised.
They’re also becoming more common for small-to-medium businesses to encounter. We’ve all received a dodgy email from a known contact but they’ve always been easy to identify. You don’t expect to receive “CLICK HERE FOR XXX” from grandma Jean in your inbox, right? So the attacks were easy to avoid.
But, they’re less obvious now and use psychological manipulation to target unexpecting victims.
How so? Read on…
Examples of Social Engineering
Let’s take a look at some examples of social engineering, and how these attacks may present. Understanding what social engineering attacks may look like will help you to recognise and identify such attacks. As a result, you’re less likely to fall victim to an attack.
You may be aware of phishing as a hacking technique.
These are usually non-specific in their target and the attacker will cast a ‘wider net,’ so to speak. This means that, even if only 1% of attacks are successful, they’ve hit say 100 out of 10,000 individuals. That’s still a success.
Spear phishing, on the other hand, is a targeted version of phishing. Attackers target a specific individual or organisation with a much more detailed phishing email. This can lead to a higher chance of success. We dive deeper into phishing in our article that you can read here.
Not all social engineering happens online.
Tailgating is a tactic that exploits people’s trust and courtesy to gain unauthorised access to secure areas or facilities.
The attacker will physically follow a person into a restricted area, often by walking closely behind them. This way, they don’t need credentials or security checks.
The attacker might pose as an employee or maintenance worker to blend in. They want to avoid suspicion.
They might even wait outside a secure entrance holding a large package and a cup of coffee, “struggling” to open the door. Here, let me get that for you.
It’s easy for a helpful employee to hold the door open and unintentionally let them into the restricted area.
The Boss (Pretexting)
This scam looks like an email from what appears to be your boss urgently requesting a financial transfer. Perhaps he’s just requesting some reports or files―containing confidential information―and it looks legitimate so you don’t question it. In 2016, Snapchat fell for exactly this scam with an HR employee handing over payroll information to the ‘CEO.’
A trusted friend sends you an email containing a malicious link or download for you to click. These could be disguised as photos they want to ‘share’ with you, or a link to their site, Facebook page, etc to entice you to click… and bam! You’ve been socially engineered.
The Cry For Help
Your ‘friend’ or ‘cousin’ or whomever it may be writes to you that they are in urgent need of your help!
They were mugged in Spain *insert sob story here* and they need you to send $X to their account.
The pretext will vary; it may be so they can pay for their hospital bill/passport fees/insert other relevant cost here.
Spoiler alert: your friend is not really in danger, and the funds are going to a social engineer attacker.
The Mysterious Lottery
Congratulations! You won a lottery that you don’t even recall entering! Or maybe you’ve suddenly inherited millions from a long-lost relative.
It’s a dream come true! But remember, if it’s too good to be true, then it probably is.
These social engineering attacks tend to be more random and less personalised. However, they definitely fall into the same category as they prey on your sense of greed.
The Account Suspension
This is one that is always difficult to dismiss. You get an email that your account has been suspended or compromised. And, you need to verify your information or reset your password.
These emails can be extremely convincing, with identical formatting to the real deal. If you’re ever unsure, the best thing to do is to open the site and account in your browser independently. You will immediately be able to see any account-related shenanigans. Just make sure you don’t click the link embedded in the email!
Quick tip: if you’re not sure if the email is legitimate, take a closer look at the sender’s address.
Busted and Blackmailed (Scareware)
This is one that has been making the rounds, with some success. A convincing email arrives in your inbox stating that you’ve been busted watching pornography. Now they are threatening to reveal a video of your activity to your contacts.
How is it convincing?
Firstly, the email will usually contain a real password that you have used at some point (likely obtained through a previous data leak available online). Secondly, they will detail the method they used to ‘hack’ into your system―this makes it seem more legitimate.
They will make a demand for money in exchange for not sharing the damning video. Breathe easy, it’s all a bluff. You can check if your password is in a leaked database through Have I Been Pwned.
The Dream Job Offer
You might hear from a LinkedIn recruiter offering you a dream job with unbelievable salary and benefits. Of course, you could be extremely lucky. But the more likely scenario is that there is no job and no amazing salary.
There are a lot of recruiters out there headhunting for the perfect candidate. And, it may not be out of the ordinary to receive such an inquiry. However, just be wary of the source and don’t reveal any confidential information or click any links.
There are more examples of social engineering we could dig into, but these are the most common social engineering attacks around.
So, how do you protect your business from any one of these examples of social engineering? Let’s take a look.
The Influence of AI
AI will shake up cyber security. There’s no doubt about it.
Research from Darktrace indicates that there has been a 135% increase in new social engineering attacks in 2023.
This suggests that hackers are using generative AI tools like ChatGPT to construct targeted attacks at scale. This will likely make it more difficult to spot red flags in phishing emails.
For example, if a lot of your writing is online, attackers can feed examples of it into an AI system. The AI can then produce convincing emails written in your style.
It’s a developing area of cyber security that we all need to keep an eye on.
Examples of Social Engineering Attacks
Facebook and Google Scam
A notable example of a successful social engineering attack was against Facebook and Google.
The attacker, a Lithuanian man, impersonated a Taiwanese electronics manufacturer. He registered a company in the same name and sent fraudulent emails requesting payment for goods that the legitimate company had provided.
Thinking nothing of it, finance at Google and Facebook paid the fraudster a combined $100 million.
In 2019 a supplier of Toyota parts was hit by an email scam, costing them $37 Million.
The attackers convinced a financial executive to change account information for an upcoming electronic transfer.
A British railway company suffered a rather embarrassing social engineering attack.
Journalists received an email that appeared to come from the company’s director. The email revealed that Merseyrail had been hacked, however it tried to downplay the attack.
The attack appeared to have originated via a successful compromise of a privileged Microsoft 365 account. It was likely the result of a spear-phishing campaign.
In addition to sending the email to journalists, many employees received an email about the attack. This is known as a double extortion technique, as it puts pressure on the company to pay up via a public shaming campaign.
Protect Your Business From Social Engineering Attacks
A lot of cyber-attack prevention boils down to many of the same tools and steps. It’s about reducing your exposure, being aware of vulnerabilities, and utilising tools to increase your protection.
Having said that, social engineering attacks can be a little different, as they play on human emotion. Ultimately, there’s not much that an anti-malware program or firewall can do to stop a person from giving away the goods.
Keep in mind that many examples of social engineering will try to bypass your security system completely. But there’s a number of steps you can implement within your business to reduce your risk of social engineering attacks. We’ll run through them with you to ensure your business is on the right path.
1. Cyber Security Policies
Cyber security policies may sound incredibly boring and tedious. However, they are crucial to protecting your business and employees from social engineering attacks.
Although it’s not enough to just create the policies. They need to be well understood and enforced. Don’t stick it in the back of the employee manual that no one ever reads. Keep the policy clear, visible, and regularly reinforced with your staff to ensure the recommendations becomes habit.
Having a solid cyber security policy will do a few things to help prevent social engineering attacks:
- Individuals are less likely to click on phishing links or give out credentials online.
- It reduces the chance of accidently downloading malicious files onto the system.
- Having high-level email spam rules and policies can filter out many social engineering attacks from the get-go as they fail to pass filters.
2. Mobile Device Management
Mobile device management is protection for your business and for employees using a mobile device. This is especially relevant when they are using a personal device for work, instead of a company-issued device.
Mobile-device-management tools enable you to implement policies that control company data, passwords, sharing restrictions, and more.
Even if an employee falls victim to a social engineering attack, you can control what data attackers can access and share.
Let’s say you suffer a pretexting attack. Now Janet in accounts thinks she needs to send a copy of payroll information to Bob the CEO. Mobile device management ensures that Janet isn’t able to share those documents, or even copy the information within, based on your restrictive rules designed for just this purpose.
3. Multi-Factor Authentication
We always come back to this one. Multi-factor authentication ensures that account security is not defined by just one factor (the password).
Passwords are important, sure, but as we’ve come to realise, they are insufficient on their own. Why? It’s far too easy for someone else to get access to your password, and therefore access to your accounts.
Whether that password is accessed via social engineering, or because Janet wrote it on a post-it next to her computer, the result is the same: unauthorised access.
Multi-factor authentication ensures that the password is not the master key to any given account. An additional verification will be required which could be anything from a security question, to a one-time generated code, or even biometrics such as fingerprints or facial recognition.
4. Regular Backups
Time to rag on Janet a little more.
She defied all policies and logic, and failed to engage the slightest bit of suspicion or common sense.
She clicked the link that Bob The Fake CEO sent her and now the company has been infected with a virus hell bent on destroying everything.
But… thank goodness you followed sensible protection policies and scheduled regular backups for your data. You’re able to revert the system back to its original state, change all passwords and update policies as required. And give Janet a stern talking to. If any Janet is reading this, we’re so sorry.
5. Password Management
This should be integrated into your cyber security policies, but it’s worth covering as a separate point.
Good password management is incredibly important to prevent social engineering attacks. I know we just said that passwords are not the be all end all, but that doesn’t mean you can get away with password1234 on all your accounts. And yes, people still use that password.
Good password management means doing a few things:
- Creating a strong password (random, multiple cases, characters, and passphrases are all excellent).
- Never using the same password more than once.
- Using a secure password manager to keep track of all your logins, and changing passwords at scheduled intervals (for example every 3-6 months).
6. Security Awareness Training For Employees
As mentioned above, it’s not enough to just stick a cyber security policy in the back of the manual and call it a day. Employees need to be able to take charge of cyber security. They must understand where attacks can come from and what they can do to avoid an attack. This means that your employees beed cyber security awareness training.
Essentially, you want these procedures and protocols to become second nature to your employees. If they feel that they have ownership of cyber security and attack prevention, they are far more likely to follow cyber security protocols and your risk of social engineering attacks will be reduced.
7. Encrypting Emails and Data
Ensuring that all your emails, data, and communication are encrypted ensures that, even if an attacker intercepts your data in transit, they aren’t able to view or access the included information. Their ‘payload’ is useless, as they can’t use any of the information contained within. You can achieve this by utilising a VPN within your business, which will encrypt data transmitted between you and any websites, protecting you from prying eyes.
8. Keep Software/OS Up to Date
This is a simple, yet critical, step that shouldn’t be overlooked.
It’s so easy to put off those updates, as they always seem due at the most inconvenient times. These updates, however, reduce vulnerabilities and keep your system secure.
Rolling out patches across a large network can be time-consuming, but knowing which software has critical vulnerabilities and the updates that are more urgent can help you to prioritise and manage the task at hand. Of course, employing an external team to manage your IT services will be a big boon in this instance, so it’s not something you need to fret about.
9. Define Roles and Verify Identities
If you have a workplace where everyone does a bit of this and a bit of that, it’s hard to know where to draw the line in terms of who can access what.
Defining roles within the business means that everyone has a clear cut understanding of what they can and should access at any given time. This cuts down on successful social engineering attacks as individuals know that George (let’s give Janet a break) isn’t permitted access to the employee database he’s suddenly requesting, immediately raising a red flag.
Furthermore, having a system of identity verification internally will help to reduce this risk as well. It may be that any time certain requests are made, or certain information is being accessed, employees are required to answer a security question or provide a pre-determined passphrase. Social engineers often do their research on their targets and can be very convincing in their assumed identities, so having a method of verification provides that extra security.
10. Utilise Next-Gen Firewall and Anti-Virus
You are probably already using a firewall and anti-virus software within your business, but next-gen firewall technology (NGFW) is designed to provide maximum security in ways that previous versions didn’t.
Traditional anti-virus and firewall software doesn’t have the sophisticated techniques and knowledge required to truly protect your system against modern attacks. Although social engineering attacks rely on human mistakes, a good NGFW will alert you to any attempted malware installations, preventing any potential infiltration.
- Stay vigilant of spam, flag emails that request personal or financial information; call for quick action by threatening the user with frightening information; or are sent by unknown senders.
- Regularly monitor online accounts to make sure no unauthorised transactions have been made.
- Never give personal information via the phone or malicious websites.
- Don’t click on links, download files, or open email attachments if you don’t know the sender and recognise the email address.
- Only complete online transactions on websites that use the ‘https’ protocol. Also look for a sign that indicates that the site is secure, such as a padlock on the address bar.
- Beware of phone phishing and never provide personal information over the phone. Also, beware of emails that ask the user to contact a specific phone number to update their information.
- Never give personal or financial information via email.
- Beware of links to web forms that request personal information, even if the email appears to come from a legitimate source. Phishing websites often disguise themselves as exact replicas of legitimate websites.
- Beware of pop-ups; never enter personal information in a pop-up screen or click on it.
- Adopt proper defense systems, such as spam filters, anti-virus software, and a firewall, and keep all systems updated.
- Social network users should trust no one and reveal only a limited amount of information. They should never post personal information on the social networking site. This includes vacation schedule and home photos, click on links and videos from unknown origin, or download uncertified applications.
Reviewing the examples of social engineering above, it’s clear that social engineering targets a huge part of human nature. It plays on our curiosity and desire to help. It’s human nature to be curious; we want to know everything! A Google study showed that 48% of individuals who picked up a random stray USB drive then plugged it into their computers. This is beyond risky.
Moreso, we want to help our fellow humans, especially those close to us or in our everyday lives. Social engineering attacks exploit this. This is why so many cases of social engineering involve a request for assistance from either coworkers, or friends―these are people we tend to trust. And the ones we’re willing to help.
Social engineering has been around ‘forever’, of course―it’s not a new technique. However, social engineering attacks have grown more sophisticated in recent years. With social media now so mainstream, it’s easier than ever for these attackers to collate relevant information in order to present a convincing identity. According to a study by KnowBe4, a whopping 98% of hackers target users via social engineering rather than through a technical flaw.
Overall, these steps won’t prevent social engineering attempts on your business―the hackers will just keep on trying. Keep the examples of social engineering in mind and learn to recognise them so that if such an attempt comes your way. This way, you’re already on the defence and less likely to fall victim to social engineering attacks.