Defending Against Common Social Engineering Attacks

Social engineering is by no means a new phenomenon. As Crane Hassold, Abnormal Security’s Director of Threat Intelligence explains, “The same techniques that have been used for thousands of years to con people are the same tactics that are used today for email attacks. The only difference is that criminals use a computer to do it.”

Targeted email attacks that rely on social engineering—like credential phishing, business email compromise, vendor email compromise, invoice fraud, and account takeover—have a high potential for costly consequences.

This is why taking steps to block these threats is crucial for every organization, regardless of size.

Rather than tricking targets into downloading infected attachments or clicking on malicious links, in social engineering attacks threat actors use false pretexts and manufactured urgency or implicit trust to dupe employees. This is often accomplished by posing as an authority figure or a trusted colleague—either by compromising their actual account or simply impersonating them.

Typically when we receive an email from a coworker, vendor, or member of the executive team asking for assistance with something important, our immediate response is to be helpful—not question the identity of the sender or the legitimacy of their request. This is precisely what bad actors exploit to achieve their objectives.

Socially-engineered attacks take advantage of our natural inclination to be cooperative and give the benefit of the doubt. They leverage psychological manipulation to convince employees to share sensitive data, provide login credentials, interact with malware, update bank account information, and pay fraudulent invoices.

Although social engineering may seem less sophisticated than developing and deploying malicious software, it’s frequently a more effective tactic because traditional email security systems lack the functionality to block these types of threats. By exclusively relying on text-based communication (as opposed to attachments containing malware), threat actors can more easily circumvent conventional security measures.

In short, modern cybercriminals have learned how to “hack the human”, as Hassold would say, rendering tools that look only for traditional indicators of compromise wholly ineffective against these threats.

Here are a few ways companies can defend against common social engineering attacks.

At this point, attacks in which threat actors impersonate the CEO and ask employees to purchase gift cards are universally well-known.

But what about a phishing email that appears to be an internal announcement sent from your HR department about important updates to employee benefits? Or a financial supply chain compromise attack in which both the attorney being impersonated (who is supposedly following up on an overdue invoice) and the law firm at which he works exist in the real world?

Unfortunately, attackers have an untold number of strategies for deceiving your workforce. Accordingly, employees should be encouraged to approach some requests with a reasonable level of suspicion. They should also feel comfortable pursuing external verification via means other than email. In other words, your organization should foster an environment where the unofficial cybersecurity motto is “Better safe than sorry.”

Social engineering penetration testing involves attempting to execute common social engineering attacks on your workforce to determine the level of susceptibility to such threats. Conducted under controlled conditions and with careful oversight, a social engineering penetration test entails sending emails that leverage the same tactics real-world attackers use and observing whether employees engage.

These exercises allow your organization to understand how employees would respond to actual threats without putting the business at risk. They enable you to assess the effectiveness of your security awareness training and evaluate how well employees are (or aren’t) complying with established security policies and protocols.

Social engineering penetration testing can also provide insight into the strength of your company’s network security controls and identify opportunities for improvement in your organization’s incident response plan.

An essential aspect of zero trust security, the principle of least privilege (PoLP) dictates that every user is granted access only to the specific data, software solutions, and resources required to do their job. Additionally, even within the individual applications they use, employee access is limited to only the features needed to execute their particular tasks.

The principle of least privilege reduces your company’s attack surface and mitigates the impact of human error by decreasing the number of channels that threat actors can utilize to access sensitive data or launch additional attacks.

Adopting PoLP is less about preventing social engineering attacks and more about recognizing that, as long as advanced threats can reach employee inboxes, your organization should have strategies in place to minimize the consequences of a successful attack.

Fostering an environment of reasonable skepticism, conducting social engineering penetration testing, and following the principle of least privilege are all effective ways to lower your vulnerability to and reduce the fallout from socially-engineered attacks. However, the best approach is to implement an email security platform that ensures advanced threats never reach employee inboxes in the first place.

Cloud email security technology that can identify even minor changes in behavior and content is essential since common social engineering attacks exploit established relationships and trusted email accounts. These solutions baseline known-good behavior across both employees and vendors, detect anomalies that deviate from that baseline, and then quickly remediate malicious emails to prevent any interaction from end-users.

Investing in software to prevent social engineering attacks limits your employees’ exposure to email threats and decreases opportunities for them to miscategorize an attack as a legitimate request.

For insight into the current email threat landscape and to see why your workforce should never be your last (or first) line of defense, download our latest email threat report. Or, to see how Abnormal can protect your organization from social engineering attacks, schedule a demo.