The most significant and underacknowledged threat to data security is a phenomenon called “social engineering.” This manipulation of human emotion has increased cybercriminals’ access to sensitive data. In fact, twelve people every second fall victim to cybercrime, according to Microsoft. One in three documented breaches involve social engineering attacks, as reported in the 2019 Verizon DBIR. Knowing the social engineering tactics most often deployed by criminals can help you mitigate this risk and secure your human attack surface. While the most common forms of social engineering techniques involve email solicitations, some attackers use more sophisticated tactics. Cybercriminals routinely contact members of an organization through phone, social media, and text messaging to deceive employees into revealing details that will allow them to access secure networks. This post highlights the top five most common social engineering tactics so you can familiarize yourself with the threat and guard your organization against risk.
It’s lunchtime at the office, and you finally have a few minutes to catch up on emails. You have to hurry though because you have a 1 p.m. meeting. The usual emails appear – internal team members, solicitations, the documents you need to move your new project forward. You see a notification from your bank citing, “Urgent: Please Login to Account.” You want to resolve the issue, so you click on the email and follow it into the banking portal. Your bank’s logo appears right next to the login, so you assume this is a legitimate portal. You enter your credentials and a screen appears that says, “The Issue Has Been Resolved.” Problem solved, right? Wrong. This is a spoofed portal, and you’ve given your banking credentials to an unknown source. However, you’re blissfully unaware this happened given the authenticity of the portal. Nothing appears off until you start seeing unauthorized charges on your credit card statement. This social engineering tactic of using fraudulent emails to gain access to personal information is called phishing, and you’ve been caught hook, line, and sinker.
You’re leaving the office after a long day. As you approach your car, you notice a USB drive on the ground. You pick it up, take it home, and plug it into your computer — how else will you know who the device belongs to? Unfortunately, your noble deed has been met with malice because your computer has now been infected with malware. This tactic is called baiting, and it offers either a physical or digital download that corrupts your IT system. Cybercriminals often use this tactic to bypass security measures and infiltrate secure networks, especially when they store valuable data.
You’re the Chief Financial Officer of your company. You receive an email from your boss, the CEO, with the subject line: “Wire Transfer $10,000 to XX Account.” This isn’t entirely out of the norm — there are dozens of transfers in a given week and you don’t want to upset the head of the organization by asking questions, so you make the transfer. As it turns out, the CEO’s email was spoofed, and the money went to an unknown bank account. You’ve just lost the organization $10,000 in a matter of minutes. This is called CEO fraud – imitating the CEO’s email address to trick employees into providing highly confidential information or access to systems. It’s also known as “business email compromise.” This tactic isn’t limited to CEOs but can apply to any employee in a position of authority. You can identify this tactic by looking closely at the email address in question; it will almost always be at least slightly off from the real thing. If your CEO’s email address is firstname.lastname@example.org, the spoof might be email@example.com.
It’s 2 p.m. at the office; you’re developing a headache, and that report is due by the end of the day. Ibuprofen isn’t cutting it, so you pull up a website that provides health information and advice. You’re prompted by a chat that asks for some personal information. Your head is still throbbing, so you reluctantly enter your data. The chat box closes — and little did you know that the representative was really a man-in-the-middle social engineering attacker. Man-in-the-middle attacks involve intercepting communication between two systems. And this tactic isn’t limited to chat boxes — it can come in the form of email, wi-fi, or even IP spoofing attacks.
A well-dressed man carrying a stack of boxes is walking toward your office building door while you’re exiting, and your hands are empty. Naturally, you hold open the door, and he responds with a smile and a nod. Nothing unusual, right? Wrong — the man you opened the door for obtained credentials from a friend to access your organization’s systems, and you’ve just granted him physical access to the building where he’ll find a computer to log in and obtain valuable information. You’ve become a victim of tailgating — when an outsider poses as an insider, gaining access to information systems and confidential data.
How to prevent social engineering tactics from causing damage
There are many ways that organizations like yours can mitigate social engineering. First, behavioral analytics can help you recognize which employees pose the greatest threat to the business. These insider threats can be classified as malicious insiders or careless users who are susceptible to these social engineering tactics. Once identified, they can be governed, trained, and if needed, sanctioned. Proactive monitoring of your cloud applications can also help you spot when a user may have been a victim of social engineering. If a specific sales rep only exports around 50 rows of data each week and suddenly exports 50,000 rows in one day, it could indicate that their credentials were compromised. By layering application-level security on top of network or infrastructure-layer solutions, you can gain more robust insights into vulnerabilities like phishing and man-in-the-middle attacks.
And because these types of attacks tend to exploit natural human psychology, training is the best way to raise awareness and change users’ behavior. Training can help users better spot potential external attacks and avoid them, rather than clicking or responding, which opens the organization to a breach. Re-training and new approaches such as policies and procedures may also be necessary. By coupling your training strategy with the insights you derive from user activity monitoring in Salesforce and other cloud applications, organizations can move toward a culture where security and privacy protocols blend seamlessly with day-to-day tasks. And as social engineering tactics continue to evolve, you can ensure your organization will be ahead of the curve, and ahead of cybercriminals looking to steal your most valuable asset – your data.