How to avoid and prevent social engineering attacks

What is social engineering?

Social engineering is an attack vector that relies on human weakness. An attack has a simple goal: to enable the attacker to bypass security; gain unauthorized access to systems, data or physical locations; and commit a variety of criminal activities.

Social engineering attacks range from amateur to highly sophisticated. They could be as simple as a nonpersonalized email asking a user to click a link to learn more about a package from Amazon or USPS that couldn't be delivered. Or they might be as sophisticated as a highly targeted BEC or spear phishing campaign where attackers spent months gathering data and details to impersonate an organization's CEO and then used this impersonation to email specific individuals with a request to transfer funds into the attacker's -- masqueraded as a third-party partner, for example -- bank account.

Attackers employ a wide variety of social engineering tactics to fool, convince, motivate and manipulate people into ignoring formal security practices and common sense.

The following are common types of social engineering attacks:

• Phishing. In phishing attacks, malicious actors use fraudulent emails or websites disguised to look like reputable organizations to persuade users into sharing personally identifiable information (PII), clicking malicious links, visiting malicious websites or downloading malicious files.
• Smishing. A form of phishing, smishing -- also known as SMS phishing -- involves cybercriminals performing social engineering scams over text messages.
• Vishing. A form of phishing, vishing -- also known as voice phishing -- involves malicious actors spoofing calls to fool users into sharing login credentials or other sensitive information over the phone. Attackers often use urgency to trick victims into providing information immediately.
• Spear phishing. A more targeted phishing attack, spear phishing involves malicious actors singling out a user or group of users to trick them into providing sensitive data or performing an action. Spear phishing attacks are generally not random attacks, but well-researched scams.
• BEC. In a BEC attack, threat actors target specific employees by usually purporting to be their superior. For example, a classic BEC scam involves an attacker sending a spear phishing email claiming to be a C-suite executive, asking a credentialed employee to defraud their company, for example by sending money or sharing sensitive corporate information.
• Baiting. This type of attack involves malicious actors luring victims into accepting an appealing offer in exchange for something the attackers want. For example, attackers might leave a USB drive loaded with malware in hopes an employee plugs it into their computer out of curiosity or tempt users into clicking a malicious link that promises to give them a free gift card.
• Pretexting. With pretexting, threat actors create a situation to gain their victim's trust, which leads them to fall for a future scam. For example, pretexting might involve an attacker impersonating a colleague or third-party partner and creating a trusted relationship so the victim later reveals PII or other valuable information during the actual social engineering attack.
• Quid pro quo. Its literal translation is "something for something," and in social engineering, quid pro quo has the same effect but involves services rather than goods. For example, a quid pro quo social engineering scam might involve threat actors providing a service or benefit in return for PII, confidential company data or user credentials.
• Watering hole. Watering hole attacks involve malicious actors targeting vulnerabilities in websites commonly used by their victims. Attackers compromise the commonly visited site with malicious JavaScript or HTML code to infect their target victims and access their network.
• Tailgating. This type of physical social engineering attack involves attackers following closely behind someone who is using an access card to enter a secure area. For example, the person with security clearance might hold the door open for the next person, believing they also have an access card.
• Dumpster diving. This social engineering technique involves attackers searching trash bins or dumpsters for valuable information, such as account data or access codes.

How to avoid social engineering attacks: Best practices for users

It is vital to teach employees how to spot and avoid potential social engineering scams. Security teams should incorporate the following tips into their organization's regularly scheduled security awareness trainings:

• Be suspicious of unsolicited emails, phone calls and text messages, especially if they request PII or actions such as sending or receiving money or sharing personal or company data.
• Enable MFA on email and other important accounts, wherever possible.
• Make sure URLs start with HTTPS before providing PII or other sensitive information over a website.
• Never reply to, click links within or download file attachments in emails from unfamiliar senders.
• If an email from a legitimate sender seems suspicious, check with the sender separately rather than responding to the email in question.
• Be on the lookout for misspellings, grammatical errors and other warning signs of phishing emails.
• Do not be pressured into performing an action or providing PII from any phone call or email that creates a sense of urgency to respond.
• Follow password hygiene best practices, such as creating strong passwords, not reusing passwords and never sharing passwords.
• Use a spam filter that detects and blocks suspicious emails.
• Use antimalware and antivirus.
• Lock computers when stepping away from workstations for any period of time.
• Never enable tailgating. Require others to use their own badge to gain entry to buildings.
• Shred any printed work documents before disposing of them.

How to prevent social engineering attacks: Best practices for organizations

For cyber-related enterprise social engineering attacks, follow these prevention best practices:

• Understand the different types of attacks and attack vectors that occur with social engineering.
• Carefully examine existing cybersecurity controls to identify points of failure.
• Regularly patch servers, networks, applications and endpoint devices.
• Replace existing security apps with more powerful ones if needed.
• Regularly review security logs to identify suspicious activity.
• Regularly review and patch firewall and intrusion detection system (IDS) and intrusion prevention system (IPS) rules.
• Perform regular penetration testing that includes social engineering vectors to identify employees who might need additional security training.
• Routinely scan email and website gateways for suspicious code. Isolate and eliminate any found, and report such instances to management.
• Regularly test cybersecurity systems and associated incident response procedures.

For physical social engineering attacks, do the following:

• Routinely examine building access arrangements to ensure they minimize unauthorized access.
• Review building-wide physical security access with a landlord or property manager.
• Verify closed-circuit TV cameras remain operational and recordings are stored in a secure location.
• Keep and verify records of employees and consultants who access the office or data centers.
• Discuss security employee schedules and related activities with the landlord and security guard company.
• Regularly conduct physical pen tests, and review associated incident response procedures.

It is also important to address both cyber and physical social engineering attacks in enterprise security policies. For cyber social engineering prevention, include the following in a security policy:

• Require frequent training to keep employees aware of the latest phishing and BEC attack trends.
• Require all devices that access company data have a lock screen and use MFA.
• Implement password hygiene best practices and accompanying password policy.
• Secure company- and employee-owned devices using mobile device management or application management.
• Perform regular data backups to reduce downtime if a device is lost or stolen.
• Implement encryption for data in motion, at rest and in use.

For physical social engineering prevention, include the following in a security policy:

• Require users to lock computers or laptops whenever away from their workstations.
• Establish a clean desk policy that requires employees to clear their workspaces when they leave for the day and lock any sensitive material within their desks.
• Have someone walk around the office to look for and report any unoccupied workstations with unlocked endpoints.
• Require employees to use key cards to access offices or data centers. Teach employees to not enable tailgaters.

The impact of AI and ML on social engineering

AI and ML raise the bar on how threat actors can successfully strike targets. Using AI enables threat actors to create content quickly and tailored specifically for a variety of attacks. For example, AI-generated emails can include data from a variety of online resources, which can result in more convincing messaging than human-generated communication. Attackers can also train AI-enabled malware to look for specific security characteristics and patterns using substantial expertise to bypass security provisions.

The emergence of AI means security professionals must prepare themselves to respond to these more sophisticated attacks.

In addition to using security systems with embedded AI capabilities, consider setting a thief to catch a thief. In other words, train enterprise AI and ML systems to identify, capture, analyze and quarantine suspicious code, emails, websites and any other information with questionable origins. This goes beyond the rules typically embedded within cybersecurity and ransomware software systems, firewalls, IDSes and IPSes. Cybersecurity and ransomware apps increasingly incorporate AI and ML technology, so work closely with vendors to learn how to maximize those capabilities.

Just as traditional cybersecurity management is a cat-and-mouse game between security teams and attackers, regularly review AI and ML resources, and retrain them based on evidence from prior attacks. The goal is to use trained AI-based security to identify suspicious AI-generated code to keep ahead of social engineering attacks.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.