When discussing cybersecurity, the initial response for most will be to think about the technological efforts of defense. How strong are my network defenses? Are my firewalls up-to-date? Do we have enough staff to both identify and remediate our vulnerabilities?
This is a great line of thinking to have, but it is not the topic of today’s discussion. Instead, we’ll be looking at the human side of cybersecurity. More specifically, we’ll be looking at social engineering and its impressive — but alarming — success rate in the industry.
What is social engineering? Why is it so effective in our modern society? And what are some tips you can take away from this piece of writing to minimize your chances of falling for a social engineering attack? We’ll be diving into all of these topics and more below!
A conversation about social engineering requires a common definition, and Digital Guardian provides a good one. Social engineering is defined in cybersecurity as a “non-technical strategy cyber attackers use that relies heavily on human interaction and often involves tricking people into breaking standard security practices.”
The success of these social engineering campaigns relies solely on the attacker’s ability to manipulate their victims into performing a desired action, such as providing personal information like a password or social security number.
In today’s world, social engineering is recognized as one of the most effective ways to obtain information and break through a defense’s walls. It is so effective because technical defenses (like firewalls and overall software security) have become substantially better at protecting against outside entities. The same can’t be said for humans, who are often referred to as the “weakest link in your security posture.”
Now that we’ve got a little background on social engineering in the cybersecurity industry, the obvious next question is why is it so effective for attackers in practice?
The basic answer to this question is simple: Humans are flawed. Machines are built with security in mind and are consistently updated to ensure vulnerabilities are patched and defenses are up-to-date. The same can’t be said for humans. Humans’ minds are constantly drifting and thinking about many things that (unless they work in the industry) do not have anything to do with security.
This lack of knowledge and focus is why adversaries have so much success with social engineering. While the most tech-savvy may be able sniff out a phish or social engineering attempt from a mile away, not everyone has that same “spidey sense.” On top of this, general information like your name, city of residence, address and even the name of your spouse and children can easily be found online.
This personal information is the key to building trust and establishing a relationship with victims in order to obtain other, more useful information. Additionally, advanced social engineering technology like “deep fake” videos and voices are becoming more and more realistic by the day, making it harder than ever to tell the difference between a legitimate conversation or information request and a breach attempt.
So now that we know what social engineering is, why it’s so effective in practice, and some of the tactics and technologies that make our lives as victims harder… How do we prevent these attacks?
We don’t claim to have the answers to every social engineering attack that lives in the wild. However, we have compiled a list of proactive tips you can take away from this post to minimize your chances of being an adversaries’ next victim:
While Zero Trust has become one of the most “buzzwordy” buzzwords in cybersecurity, operating with zero trust when it comes to external outreach may help you avoid a social engineering attack.
Whether it’s via email, text message, phone call, or another comm channel, operate under the idea that the communication attempt is a form of social engineering. If the message is clearly backed up with undeniable, tangible evidence, you may be in the clear. However, if there’s a shred of doubt that the claim is legitimate, err on the side of caution.
Working in tandem with our Zero Trust tip is another vital piece of information: Avoid sharing any additional information with a potential adversary.
While it may be reasonable to believe that the individual communicating with you is legitimate, ALWAYS avoid providing additional personally identifiable information (PII) over a form of communication that may be intercepted or hacked in the future.
It is better to be safe than sorry when it comes to these communication methods, and it is more than likely that an alternative solution exists in which you can enter required information in manually.
While social engineering has spread to other communication channels than just email, email is still king for adversaries based on its customizability and direct access to a victim’s mailbox.
With this being said, it’s great advice to ensure you have a good spam filter installed on your email (especially your business email). Additionally, you have a personal responsibility to flag every questionable email you receive that somehow sneaks through the cracks of your filter.
If you don’t see the social engineering attacks aimed at you, you can’t fall for them. This simple fact explains just how important it is to have a good spam filter in place and continue to flag all messages that appear phishy.
One of the most successful tactics that attackers use in their social engineering efforts is displaying a tone that conveys a sense of urgency. Don’t fall for this.
Most communication attempts by legitimate companies, vendors, and coworkers will be direct and easily understandable, not made to incite fear. Attempts to get you to perform an action strictly out of the fear of not doing what’s asked are a dead giveaway that you’re dealing with a social engineering attack.
If you find one of these messages enter your email inbox or voicemail, delete it and move on. If the distress message happens to be legitimate, the company will find a more genuine way to discuss this with you.
The previous tips provide actionable steps to prevent message attempts initially and identify them if they pass through your filter. However, widespread education of the dangers of phishing and social engineering is vital to your organization’s safety.
So, what should be taught throughout your organization? All of your employees should be educated on how to update their spam filters and other useful firewalls, as well as how to identify and report social engineering attacks. This knowledge will both minimize damage these campaigns have on your weakest security link and provide your security team with useful information about where the attacks came from, how they’re passing filters, and the tactics used to lure victims.
By following and implementing these five tips, both your personal accounts and your organization as a whole will be safer.