How to Identify and Prevent Social Engineering Attacks

Executive Summary

Social engineering attacks have grown in abundance as more companies adopt third-party business-critical applications. Verizon reports social engineering is responsible for 93% of successful data breaches, and damages from these attacks can be extremely costly.

By manipulating people into breaking security protocol, bad actors gain access to sensitive information and valuable resources. Leveraging various forms of attack such as spear phishing, business email compromise, and malware delivery allows them to infiltrate and exploit an enterprise’s systems.

There are ways to recognize such attacks. Suspicious attachments, poor grammar and format, and generic signatures and greetings can be indications of ongoing social engineering exploits. It is essential to educate executives and employees on the best practices on social engineering defense.

However, these simpler tactics aren’t enough on their own. Organizations should also deploy robust solutions that provide advanced cybersecurity functions and governance across the entire enterprise’s app instances. Only then can companies fully equip themselves against social engineering in information technology.

Social engineering is an attack vector that “relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices to gain unauthorized access to systems, networks or physical locations or for financial gain.”

In social engineering attacks, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher, and may even offer credentials to support that identity. 

However, by asking questions, they may be able to piece together enough information to infiltrate an organization's network. If an attacker cannot gather enough information from one source, they may contact another source within the same organization and rely on the information from the first source to add to their credibility.

What are examples of social engineering attacks? Unfortunately, there are many.

• Baiting

Attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. The target then picks up the device and inserts it into their computer, unintentionally installing the malware.

• Phishing

When a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing financial or personal information or clicking on a link that installs malware.

• Spear phishing

Similar to phishing, but tailored for a specific individual or organization. (Learn more about it here)

• Whaling

A specific type of spear-phishing attack, targets high-profile employees, such as the chief financial officer or chief executive officer, to trick the targeted employee into disclosing sensitive information.

• Vishing

Also known as voice phishing, vishing involves the use of social engineering over the phone to gather financial or personal information from the target.

• Business Email Compromise (BEC) and Business Communication Compromise (BCC)

A spear-phishing attack where a malicious actor impersonates an Executive and attempts, through social engineering tactics, to get the target to send funds, credentials, or sensitive information. The impersonation may occur through a display name change, a typosquated email or username, or through an actual compromise of the executive’s communication channel account.

• Smishing 

A form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as web pages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number.

• Pretexting

One party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need financial or personal data to confirm the identity of the recipient.

• Scareware

This involves tricking the victim into thinking their computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker's malware.

• Watering hole

The attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust with the goal of gaining network access.

• Quid pro quo

This is an attack in which the social engineer pretends to provide something in exchange for the target's information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be a technical support specialist responding to a ticket. Eventually, the hacker will find someone with a legitimate tech issue whom they will then pretend to help. Through this interaction, the hacker can have the target type in the commands to launch malware or can collect password information.

• Honey trap

In this attack, the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

• Rogue security software

This is a type of malware that tricks targets into paying for the fake removal of malware.

• Pharming

With this type of online fraud, a cybercriminal installs malicious code on a computer or server that automatically directs the user to a fake website, where the user may be tricked into providing personal information.

The first step in most social engineering exploits is for the attacker to perform research and reconnaissance on the target. If the target is an enterprise, for instance, the hacker may gather intelligence on the organizational structure, internal operations, common lingo used within the industry and possible business partners, among other information.

One common tactic of social engineers is to focus on the behaviors and patterns of employees who have low-level but initial access, such as a security guard or receptionist; attackers can scan social media profiles for personal information and study their behavior online and in person.

In the case of social media phishing, the attacker can often perform their target recon on the channel itself. Most often, for businesses and organizations, it’s LinkedIn. Then, they make a simple connection request to the target to begin establishing the trusted relationship. The more connections the attacker makes within the organization, the greater the found sense of trust.

At this point, the attacker is in an excellent position to launch the attack by doing either one or both of two things:

1. Send a malware-laced attachment to the targeted victim, under the pretext of a legitimate purpose, to compromise their host device; or,
2. Send a link that redirects victims to a bogus website or page that either skims their login credentials, or tricks them into wiring money and currencies to an account that the attackers control.

Both instances not only wreak havoc on the financials and the equipment of the company, but also causes brand and reputation damage, as well. 

Moreover, social engineering attacks give birth to more attacks, as access to credentials of one employee can lead to stolen credentials from other coworkers, outside contractors, or business partners and clients.

According to the Cybersecurity and Infrastructure Security Agency (CISA), here are some of the common indicators of social engineering exploits. Familiarizing oneself with these will help in identifying them: 

• Suspicious sender’s address

Cybercriminals will often imitate the address of a legitimate business when sending you an email or a message. The sender's address may closely resemble one from a reputable company, but with some characters altered or omitted. 

• Generic greetings and signature

Usually, a generic greeting like “Dear Valued Customer” or “Sir/Ma’am”, combined with a lack of contact information in the signature block, strongly  indicate phishing. That’s because a legitimate email from a trusted organization will normally provide their contact information and address you by name and/or honorific.

• Spoofed hyperlinks and websites

Spoofed links can be easily identified if you hover your cursor over any of the links in the body of the email. If the links do not match the text that appears when you hover over them, that’s an indication that the link may be spoofed. Malicious websites can also look identical to a legitimate site, but when you check the URL, it uses a variation in site’s spelling or a different domain (i.e., a government site with a .net domain instead of .gov). Moreover, cybercriminals may shorten their URLs to hide the true destination of the link.

• Secondary Destinations

Some phishing attacks involve directing the victim to a legitimate document hosting site, or attacking a non-malicious document to the message. In other words, bad actors can insert a message with a link within the harmless document. This will direct the victims into the malicious site, where the actor hosts infected files or a credential skimming scam.

• Spelling and layout

This is one of the most obvious indicators of a possible phishing attack—a message with poor grammar and sentence structure, misspellings, and inconsistent formatting. That’s because reputable institutions almost always have personnel  dedicated to producing, verifying, and proofreading their customer correspondence.

• Suspicious attachments

Unsolicited emails requesting the user to download and/or open an attachment commonly indicate a malware attack. Too often, a cybercriminal uses a false sense of urgency or importance to persuade the user to download/open the attachment without examining and confirming first. E.g., a bad actor may pretend to be an executive and say “I need this document printed and on my desk in 10 minutes,” or something to that effect.

Protecting the organization means establishing the best security practices against social engineering attacks.

One key approach is to educate staff and executives on social engineering detection and security. If possible, they should be trained on how to recognize these attacks and how to respond to them. If the company doesn't offer it, several free courses are available  online. Even articles about social engineering, like this one, is a great first step already.

Next is enabling smarter password protection. Microsoft reveals that activating two-factor authentication (2FA) successfully blocks 99.9% of automated attacks. This means that the more the employees exercise using 2FA on their business tools, the safer they will be.

Organizations should also monitor network inbound and outbound traffic for suspicious domains, suspicious user activity, and massive movements of sensitive data, be the result of an employee clicking on a phishing link.

Finally, constant updating of security softwares is also important in social engineering defense. Missing patches and late updates on security software (e.g. firewalls) can lead to vulnerabilities in the system which hackers can explore. Constant updates and patches improve security and prevent at least simple social engineering exploits.