SoftwareOne logo

5.75 min to readDigital Workplace

How to prevent social engineering attacks

Ravi Bindra
Ravi BindraCISO
A woman's finger is pointing at a colorful screen.

With many employees still working remotely, cyber criminals have set their sights on targeting people instead of technology. For example, in 2020 during the height of the pandemic, Interpol reported 907,000 spam messages and 737 incidents related to malware, all using COVID-19 as part of the attacks.

Essentially, no organization is safe from social engineering attacks. Even security company RSA experienced a data breach when a small group of employees opened a malicious file attachment contained in a phishing email. Security teams are often an organization’s last line of defense and need to be mindful of each user’s activity so that they can mitigate risk. To take proactive steps to prevent social engineering attacks, organizations need to understand how they work. Let’s take a look at the different ways to prevent social engineering attacks.

How does social engineering work?

Social engineering attacks focus on manipulating people’s human interactions and emotions as one way to get end-users to take adverse actions, like sharing sensitive information. Generally, these attacks take advantage of strong emotions, like fear, and use them to create a sense of urgency to trick people.

When trying to trick people into acting against an organization’s best cyber security interests, threat actors often use strategies like:

  • Likability: Appear credible or likable to build trust
  • Reciprocity: Offer value like bargains or advice which creates a sense of obligation
  • Commitment/urgency: Get people to agree before risks are obvious
  • Social proof: Pretend the victim’s friends endorse the activity to build trust
  • Authority: Pretend to be someone in power to intimidate a person into taking action

Why is social engineering so dangerous?

Since threat actors rely on emotions, social engineering attacks are often more dangerous than other methodologies. Technology can be programmed to provide repeatable outcomes, making it easy to control and validate. Processes can be tested and iterated before an organization needs to use them.

Since social engineering attacks use psychology, victims may not even be aware that they have been manipulated. For example, when cyber criminals leverage authority bias during an attack, they are often manipulating a cognitive bias people do not realize they have.

At the end of the day, emotions and humans are unpredictable. People’s responses to situations change based on various factors including mood and health. For security professionals, this creates an unquantifiable risk coupled with an inability to validate controls, like cyber security awareness training.

Techniques of social engineering attacks

Most social engineering attacks follow one or more of several techniques, such as:

Baiting

In baiting, cyber attackers use a physical object, like a USB drive, to lure people in and increase their curiosity. They often want to know what is on the drive or assume it has been lost and end up trying to return it to the owner. However, when they insert it into the device, the malware installs and executes gathering sensitive information.

Phishing

Phishing may be the most common type of social engineering attack. With phishing, cybercriminals send fake emails to users that look legitimate, suggesting that the email recipient take action as soon as possible. When the link is clicked in the email or downloads the attachment, the malware installs on the devices and executes.

Phishing comes in several different varieties, including:

  • Vishing: using phone calls instead of emails
  • Smishing: using texts instead of emails
  • Spear phishing: using fake emails customized to address the victim
  • Whaling: sending fake emails targeting a specific victim, often a senior leadership team member, that appear to be from someone within the organization

Scareware

Also called “quid pro quo” attacks, scareware attempts to trick people into taking action by suggesting that if they do the requested action, they will avoid harm. For example, a scareware attack might suggest that a user’s computer is infected with a virus and that clicking on the link will erase the infection; but in reality, it deploys the malware.

Pretexting

Whether these occur digitally or physically, they follow the same pattern. Pretexting is when a malicious attacker does research, creates a viable story, and then pretends to be someone who would otherwise be viewed as legitimate.

For example, cyber criminals might impersonate:

  • IT Staff
  • Customer service representatives
  • Survey takers
  • Auditors

Farming/hunting

A highly strategic and risky social engineering attack is farming or hunting, where the cyber criminal forms a relationship with the victim and develops a relationship over time. While this might be riskier because the victim may realize the criminal is acting, it also has a larger payout because it builds a stronger foundation of trust.

How do you avoid being a victim?

To avoid becoming a victim, companies need to ensure that they have the appropriate cyber security user awareness training, such as SoftwareOne’s, in place. When looking for cyber security user awareness services, the training needs to include the following essential components to:

  • Check sources: make sure to review sender email address, email headers, and any URLs before clicking on them
  • Review information in body of an email: make sure to review information quantity and specificity
  • Review language used: make sure to question anything with urgency or that has an offer that is “too good to pass up”
  • Verify requests: contact a company directly without using any contact information in the email
  • Never respond: keep sensitive information private, including personal and corporate data, like usernames, passwords, customer information, and network information

Additionally, companies can use technology to avoid becoming a victim, including:

  • Strengthening spam settings
  • Deploying antivirus software
  • Regularly installing security patch updates
  • Using multi-factor authentication

What should you do if you think you are a victim?

Companies that think they might have been the victim of a social engineering attack should make sure that they have the appropriate detection and response capabilities enabled. The sooner a company can respond to an attack, the less damage a cyber criminal can do.

Some things to consider include:

  • Reviewing alerts and detections to determine compromised users or devices
  • Resetting passwords for compromised users
  • Refusing network access for compromised devices
  • Isolating compromised networks, systems, and applications
  • Monitoring the dark web for compromised data
  • Reporting the incident to the appropriate law enforcement and regulatory bodies

Outlook

Cyber criminals spend significant time engaged in reconnaissance before deploying a social engineering attack. They look for the people who have the most access to information and know how to trigger strong emotions in them.

With employees sitting outside traditional network protections, like firewalls, social engineering attacks will continue to be a primary methodology because they are often successful. While people never want to cause a data breach, cyber criminals use more sophisticated methods for their social engineering attacks, which makes detecting them more challenging for everyone. As you move forward, ensure you’re investing in the proper training of your employees so everyone involved has the tools required to prevent a social engineering attack. This way, everyone will have some peace of mind knowing they may not be the next victim.

A close up of a pink and blue flower.

SoftwareOne’s CIO Pulse Survey

Our report includes key findings of recent research to examine CIOs’ priorities at a time when they are expected to achieve more but with reduced budgets.

SoftwareOne’s CIO Pulse Survey

Our report includes key findings of recent research to examine CIOs’ priorities at a time when they are expected to achieve more but with reduced budgets.

Author

Ravi Bindra

Ravi Bindra
CISO

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.