How Can You Protect Your Organisation from Social Engineering Attacks

Cybercriminals always try ingenious ways to launch attacks. They have recently caught social engineering attacks as an effective way to breach networks.

Conventional cyber attacks exploit inherent vulnerabilities in the network to gain access. Social engineering attacks exploit human weaknesses. The hacker could, for instance, impersonate support staff and trick employees out of their passwords. When imposters assume authority, many users readily disclose confidential information.

Social engineering attacks come in many forms. The most common type is phishing, which involves impersonation as a trusted source and emailing for information. For instance, the cybercriminal may pose as a bank and redirect unsuspecting users to a fake site to steal their login credentials. In 2014, North Korean hackers sent phishing emails disguised as Apple ID verification emails to Sony’s employees. The hackers used the login credentials to wipe Sony’s networks and steal financial records.

Phishing occurs in several variants. Vishing is voice phishing, where cybercriminals ask for information through phone calls. Smishing is the same attack through SMS messages. Scareware persuades users to download malware disguised as an urgent security update. In pretexting attacks, cybercriminals attract the victim’s attention and pry out information. The attacker may pose as an internal auditor and seek personal information such as date of birth and bank account details.

The 2020 Verizon Data Breach Incident report reveals phishing behind 22% of all reported cyber breach incidents.

There are several other types of social engineering attacks, apart from phishing.

Baiting. The cyber criminals sneak in or take the help of rogue insiders to plant malware-infected USB sticks on an unsuspecting victim’s desk. When the victim sticks the USB, the malware gets into action and compromises the system.

Contact spamming and email hacking. Cyber attackers hack individual email or social media accounts, and gain access to their contacts. Next, they send emails to contacts asking for money, information, or an invitation to click on a malicious link. In 2020, cyber criminals hacked the Twitter accounts of Barack Obama, Bill Gates, Elon Musk, and others and solicited Bitcoin. The attackers earned about $120,000 worth of Bitcoins from gullible followers. In 2015, network technology manufacturer Ubiquiti Networks lost $46 million. The attackers hacked an employee’s email and requested wire transfers through the finance team.

Farming attacks. Some hackers establish a relationship with the target over an extended period. They earn their trust and extract information. For instance, honey traps lure victims into vulnerable sexual situations and blackmail them.

Today, cybercriminals launch sophisticated social engineering attacks. They identify their victims and launch well-researched and disguised attacks. They use AI to impersonate people to high perfection, making such attacks hard to detect. Network security deployments are ineffective against such social engineering attacks.

Here are the ways enterprises can safeguard against social engineering attacks:

1. Deploy the right security tools

Effective cyber security tools keep social engineering attacks at bay.

Use a good spam filter. The primary tool against phishing is a good spam filter. Most email programs filter out spam or mark suspicious emails as suspicious. Top anti-malware suites update the threat-detection engine to stay on top of these attacks.
Deploy the latest versions of anti-malware and anti-virus software. First generation suites do not protect against the advanced AI-powered attacks in vogue today.
Upgrade to the latest web application cloud-based firewall. Traditional firewalls do not protect against the latest threats. Web application cloud-based firewalls monitor the network traffic for abnormal activity and misbehaviour. It blocks access to detect unusual behaviour patterns and issues real-time alerts for follow-up action.
Update software and firmware. Apply security patches as soon as it becomes available. Download the latest versions of web browsers.

2. Strengthen device security

Strong device security frustrates attackers. Even when cyber attackers steal passwords, they cannot penetrate the device.

Make a company policy to prevent accessing the corporate network from rooted phones. Also, disallow rooted phones for BYOC.
Have a firm access policy, including strong passwords and multi-factor authentication. The safest multi-factor authentication options include voice recognition, fingerprinting, and SMS confirmation codes.
Check the authenticity and integrity of the websites and other resources used by enterprise users. Obtain SSL certificates from trusted authorities. Allow only trusted and encrypted websites that start with HTTPS://. Websites with HTTP:// do not offer a secure connection.
Encrypt data, emails, and communication to ensure hackers cannot use the data even if they intercept the communication.

3. Audit the network

Periodic network audits close loose ends. Often, social engineering is the first stage of a cyber attack that eventually exploits network vulnerabilities.

Identify the critical enterprise assets that hold sensitive information. Many companies protect assets based on the perspective of their business. Business-critical assets and assets containing critical information need not always be the same. Evaluate assets from the attacker’s perspective. Strengthen protection for assets that hold personally identifiable information, and other sensitive information.
Conduct penetration testing or pen-test to identify vulnerabilities. Simulated cyber attacks identifies exploitable vulnerabilities and preempts cyber criminals from exploiting such vulnerabilities. Comprehensive pen tests cover susceptibility of the enterprise systems to social engineering techniques.

4. Train users to identify and thwart social engineering attacks

Social engineering attacks prey on innate human tendencies of curiosity, respect for authority, and the desire to help friends. The attackers also create a sense of urgency. They do not want their victims to think. The more the victims apply their minds, the lesser the chance of the attack succeeding.

Train enterprise users to:

Identify telltale signs of spoof emails and other forms of impersonation. Phishing depends on the victim’s inability to identify red flags, such as a spoof email address, or the sender asking for information already in their records.
Verify any communication source. Trust no communication blindly. For instance, double-check requests for money.
Trust no one. Institute a policy that mandates users to ask for ID or double-check the source for any requests.

Social engineering is often the first stage of most cyber attacks today. Only 5% of all breaches involve purely technical exploits. The rest of the attacks involve some human element. Enterprises need advanced tools, such as Proofpoint, which co-opt machine learning and real-time analytics to offer robust protection. These tools, powered by large and diverse data sets, move away from the obsolete approach of protecting the perimeter and rather defend users against social engineering and other attacks, regardless of how users operate or from where they work.

IT Knowledge Zone

IT Knowledge Zone is the leading source for technology blogs, IT events, and success stories within the APAC region. Our platform offers profound insights aimed at empowering business leaders to make informed decisions and remain at the forefront of innovative technological solutions. Explore our "Ask Chloe" feature for tailored assistance with your specific needs or requirements in the world of IT.