How to Identify and Prevent a Social Engineering Attack

{authorName}

Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Thursday, January 27, 2022

Social engineering attacks are one of the most common causes of data breaches. What must you do to educate your employees about these threats?

Article 6 Minutes
How to Identify and Prevent a Social Engineering Attack
  • Home
  • IT
  • Security
  • How to Identify and Prevent a Social Engineering Attack

It's often said the weakest link in any business' IT security system is the piece between the keyboard and the chair - the user. Human error is the leading cause of data breaches, and one of the most common mistakes is employees handing over key data to hackers.

There are a range of techniques hackers use to trick people into giving up their credentials, all of which fall under 'social engineering'. This can be an especially tough type of attack to counter as it taps into some of the fundamental aspects of human nature and there's only so much technology tools can do to counter it.

Types of social engineering attack to be aware of

Whether it's impersonating a worker's boss, offering them a reward or simply taking advantage of people's willingness to be helpful, social engineering can be a highly lucrative way to gain access to valuable data.

While many attempts will arrive via email, you also have to be aware of other avenues of attack, such as phone lines, text messages or even in-person contact. Some issues almost every business is likely to encounter include:

  • Phishing: One of the most common forms of social engineering, this involves sending emails purporting to be from a familiar or trusted sender. They typically contain a URL to a fake website, where users are encouraged to enter login details or financial information, which can then be harvested and reused.
  • Business email compromise: A subcategory of phishing, business email compromise (BEC) sees hackers take over an email address and use it to message known contacts. For example, this could involve using the CEO's account to ask the finance team to authorize a payment, or request sensitive documents.
  • Vishing and smishing: These techniques are similar to email phishing but use voice channels (vishing) or SMS messages (smishing). They can often be effective as, while people are often on the lookout for spam emails, they’re less wary of phone or text scams, especially when criminals use spoofing tools to make it appear as though the messages are coming from a familiar source.
  • Pretexting: Pretexting attacks can take various forms, but generally purport to require some information from the user. This may be the 'finance department' asking for bank account details, or an 'external auditor' asking for sensitive files, for example, and aim to build a sense of trust from the user.
  • Baiting: Another subtype of phishing (or other forms of '-ishing') attack, baiting uses the promise of a free item or goods to lure in victims. For example, they may promise a voucher in exchange for filling out a 'survey' that’s actually a way of harvesting personal details.

5 signs you're facing a social engineering attack

Regardless of the format they take, social engineering attempts often have a few features in common. By knowing what to look for, your staff can ensure they minimize their risk of becoming a victim.

Traditionally, users have been taught to look out for red flags such as misspellings, impersonal greetings or unknown attachments, but today's social engineering attacks are usually much more sophisticated. Here are a few key indicators that something may not be what it seems.

1. A sense of urgency

Many social engineering attacks will encourage their target to act quickly, before they have a chance to step back and assess the situation or gain confirmation about what they're being asked from other sources. If people feel under pressure to take action, they may make rash decisions.

2. Creating a connection

Some scammers try to play off a personal connection to the recipient to build trust. For example, they may say they met at a conference or reference a mutual acquaintance. This should always ring alarm bells if it comes from a name you don't recognize - and criminals may be counting on you not wanting to offend anyone by saying 'I don't remember you'.

3. A request for verification

A request to verify certain information should always be looked on suspiciously, especially if it includes a link directing you to a form to fill in details. The message may well indicate you're the only person who can confirm this information, and will often be paired with the need for urgency.

4. An incentive

Promising a reward in exchange for information is another common tactic, as it plays off people's emotions. It may be among the oldest tricks in the book, but while people are mostly wise to messages like 'You've won $1,000, click here to claim your prize', more considered approaches still work. For example, several companies have caught out their employees by using phishing simulations that reference pay bonuses to entice people to click.  

5. The odd one out

No one wants to feel left out or as if they're the one causing a problem, which is why phishing attempts aimed at businesses often include language warning that all employees are expected to respond, or that the recipient is the last staff member not to have filled out this form. Again, these are psychological tactics to encourage a quick response that overrides people's better judgment.

3 key steps to keep criminals at bay

There's no one solution to prevent social engineering attacks. Instead, you need to align tech tools with user training to minimize the risks.

Technology

Strong antimalware tools can be highly effective against email-based attacks like phishing or BEC. While traditional email gateways may allow some of the more sophisticated attempts to slip through, the latest tools use smart AI technology to compare incoming mail to a user's inbox to better spot unusual requests and natural language processing to identify any red flags in the tone of the message.

Education

You can't rely on technology alone, however. If messages do reach a user's inbox, or criminals turn to other channels to deliver social engineering attempts, your employees are also the best line of defense. Ensuring they’re well-trained on what to look for, and that these sessions are repeated on a regular basis, is essential in keeping firms safe.

Testing

It's important not only to train people on what to look for, but to run regular tests to ensure they're taking the lessons onboard. Running a phishing simulation will give you a chance to see who's being vigilant and who's still falling for social engineering techniques, allowing you to focus refreshers in the areas they're most needed.

Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.

Comments

Join the conversation...