How Can a Business Protect Itself From Social Engineering Attacks?

Identify Target

Targeted attacks are becoming increasingly likely at an SMB. Generative AI is used to identify susceptible targets and help design effective social engineering attacks against a target.

Deception Delivery

Using the intelligence gathered during target identification, the cybercriminal creates a social engineering scam. This will use psychological techniques like exploiting trust or encouraging a fear of missing out to manipulate the target into performing a task that benefits the attacker.

Exploitation and Scam Execution

The attack is executed once the target performs the task. This could be entering login credentials or other data into a spoof website, unwittingly sending money to a hacker's bank account, or installing malware like ransomware.

Shutting the Door

Once the attacker has what they want, they will stop the attack and attempt to ensure that there is no way of tracing them.

Scams

A scam is an umbrella term covering various ruses involving social engineering. Examples include romance or tax scams. Scams rely on building trust with the target. This can take time as the scammer will focus on creating a relationship with the target. Once the scammer has the target's trust, they will carry out the scam, for example, asking for a payment.

Phishing (including smishing, vishing, and quishing)

Social engineering is most famous for being an integral part of phishing success. Phishing messages are delivered using several channels, including emails, SMS text messages (smishing), and telephone calls (vishing). Phishing attackers will utilize trust in the same ways as general scammers. For example, QR code phishing (quishing) uses a QR code in a phishing message because people are used to using QR codes and trust that when they click the link in the QR code, it will take them to a legitimate website.

Social engineering within phishing messages uses other psychological tactics to manipulate behavior to encourage a click on a malicious link or download an infected attachment. Tactics include exploiting a Fear of Missing Out (FOMO), wanting to do a good job, urgency and concern, and free offers. SMBs are 350% more likely to suffer from social engineering attacks.

Spear-Phishing and Whaling

The more targeted form of phishing is known as spear-phishing. Cybercriminals use intelligence-gathering methods (including generative AI) to identify targets in a company. For example, they may wish to target a system administrator to steal highly privileged login credentials or someone in accounts payable, as part of a financial scam.

Whaling attacks tend to target C-level executives. Targeted attacks are much harder to identify as rogue as they are highly personalized using the intelligence on the target.

Business Email Compromise (BEC)

Business Email Compromise has become an increasingly common form of social engineering-assisted cyber-scam. The FBI recorded $2.9 billion in financial costs to businesses from BEC scams, with the average cost to a business being $137,132.

BEC scams are heavily reliant on the manipulation of trust. The scammers will carefully set up a scenario where a person responsible for handling payments believes they are dealing with the company's CEO or CFO. This will involve either compromising the C-Level email account or creating a highly believable spoof that involves the C-Level email or other communication methods. In one example, the BEC attack involved an AI-generated voice that spoofed the CEO. The BEC attackers then contact the employee(s) handling payments, pretending to be the C-Level executive, and urgently requesting that a payment be made to a specific account (the attacker's account).

Impersonation Attacks

Posing as a trusted entity, like a partner company or C-Level executive, is part of the broad remit of an impersonation attack. Like BEC, impersonation attacks socially engineered targets using trust, FOMO, urgency, and other behavioral manipulations. An FTC 2024 report, "Impersonation scams: not what they used to be" states that half of all fraud involve impersonation attacks. Email impersonation works. A 2024 report from Egress found that almost all (94%) of organizations experienced security incidents involving impersonation attacks.

Pretexting and Tailgating

Pretexting and tailgating use more traditional low-tech tactics to manipulate employees. Typically, the scammers will pretend to be a person in authority (e.g., a tax office supervisor) or a new co-worker. Trust is again, the main driver of behavior manipulation. The chosen target is approached or contacted by the attacker using digital methods or in person. Again, the attacker may take time to build a rapport with the targeted employee. Once a relationship is established, the scammer will attempt to manipulate the individual into handing over information, such as personal data or financial details.

Tailgators manipulate employees to find ways to enter a building or restricted area. Once inside, they can use legitimate tools used by security professionals to steal data, including login credentials.

Security Awareness Training

A Microsoft Digital Defense Report on social engineering states this:

"Regardless of the technique, social engineering remains a constant threat that ultimately cannot be fully mitigated via technology".

Social engineering is an insidious tactic because it exploits human behavior. Cybercriminals' manipulative tactics can often be hard to identify unless you know what you are looking for. This is why security awareness training is so necessary. Security awareness training packages are typically behavior-based and optimized for training individuals or teams. Employees receive engaging content like videos and quizzes to help them identify social engineering attacks.

Phishing Simulations

Many security awareness training is supplied with simulated phishing exercises. These platforms are configured to send employees realistic-looking but fake phishing messages. The platform will record how the employee interacts with the fake emails and deliver in-context training to educate the employee on what would happen if this was a real phishing message. The training teaches employees all of the subtle social engineering aspects of phishing attacks so that they are more likely to act cautiously when presented with a suspect email or text message.

Business Processes

BEC attacks and other scams rely on manipulating business processes such as financial transactions. By putting checks and measures in place to ensure that these processes are more robust, a business can help mitigate social engineering. For example, if a request to change bank details is received, it should be cross-checked and verified with a line manager or other designated individual.

Robust Authentication

Social engineering attacks often result in stolen login credentials. The risk associated with these types of cyberattacks can be reduced by using extra protection such as multi-factor authentication (MFA), which requires additional credentials to be supplied when an employee requests access. However, it is worth noting that MFA alone is not enough to protect against social engineering and other types of cyberattacks.

Least Privilege Access Enforcement

Lest privileged access is where an employee is allowed access rights based on their role in the company. That is, they are only allowed to access a resource if it is needed for them to carry out their job. Least privilege access enforcement can be handled using Privileged Access Management (PAM) and Identity and Governance Administration (IGA) tools. These can be supplied from a vendor directly or via an MSP.

Email Protection

Email and spam filters should be part of a layered defense against socially engineered cyberattacks. Advanced anti-phishing and anti-spam include behavioral analytics and Natural Language Processing (NLP) technologies that help to identify sophisticated spear-phishing attacks.