By ProServeIT on May 01, 2019

Dominant Cyberthreats – Detect and Prevent Social Engineering Attacks


How do you spot suspicious actions that may be indicative of a social engineering attack? Further, how do you protect your organization from one of the most dominant cyberthreats out there?

This blog post will help you answer these questions. Read on to learn how to detect and prevent social engineering attacks, and to better understand how to defend your company from these dominant global cyberthreats.

What is a social engineering attack?

Hackers will exploit genuine security gaps within your network. Usually, the weakest link is your people. They target your end-users in order to create the foothold they need into your system. Social engineers use manipulation, influence or deception in order to get you or your employees to give out your personal information or do something that ultimately weakens system.

Hackers will exploit genuine security gaps within your network. Usually, the weakest link is your people. They target your end-users in order to create the foothold they need into your system.

  • “This is Dave from IT. I’ve just received a notice of a virus on one of your department’s machines.”
  • “Hi, I have an appointment with Maria at 3 o’clock? I’m the service technician from Microsoft.”
  • “Hold the door, please? I forgot my access card at home today.”

The above sentences are just a few examples of social engineering attacks. Social engineers play off your emotions, like your willingness to be helpful and hold the door for someone, or your fear of having a virus on your computer.

An organization of any size can have their layers of sophisticated computer security undone in a matter of seconds because a social engineer has tricked just one employee into revealing company information to them or allowing them onto your premises. And social engineers will go to great lengths to gain access to data they can exploit, for example:

  • Personal info: passwords, account numbers
  • Company info: phone lists, identity badges
  • Server info: servers, networks, non-public URLs

What is impact of a social engineering attack?

A social engineering attack is a dominant and ever-increasing threat to your organization’s security. Microsoft, through investing over $1 billion in cybersecurity research each year, has discovered the following three major points:

#1. Attackers are increasingly infecting computers by tricking people into doing it themselves

  • 99.7% of documents that were used in attachment-based campaigns relied on social engineering and macros.
  • 98% of URLs in malicious messages linked to hosted malware.

#2. On social media, phishing is 10 times more likely than malware

  • Phishing is the fastest growing social media threat, mainly due to the fact that creating fake social media accounts for known brands is so easy.
  • 40% of accounts that claim to be Fortune 100 companies on Facebook are unauthorized accounts.
  • 20% of Twitter accounts for Fortune 100 companies are unauthorized.

#3. Malicious Mobile Apps are a rising trend.

  • Email and social media aren’t the only ways that social engineers are targeting people.
  • More than 2 billion malicious mobile apps have been willingly downloaded.
  • There have been over 12,000 malicious mobile apps discovered in app stores alone.


3 most commonly used social engineering tactics

Social Engineering Attack Tactic #1 - Spear Phishing

Spear phishing, the single most common (and most effective) social engineering tactic, is when a hacker uses email to masquerade as someone that you know and trust, in a targeted email attack against you. It could come from someone pretending to be your CEO, for example, or your HR department. Someone that you wouldn’t normally question.

  • “Notice of pending layoff: Click here to register for severance pay.”
  • “Your T4 statement is attached.”

These are examples of subject lines that could be spear phishing attacks, but if they were to come from someone pretending to be your HR department, would you recognize them as the attacks that they are?

Hackers are getting more creative and can be far more convincing with emails, causing you to open them without realizing that they’ll infect your machine. To prepare yourself, here are a few tactics to watch out for:

#1. Using the News Against You

In the U.S. in 2016, there was a rise in the number of spam messages that were related to the presidential campaign. Hackers will use news headlines as social engineering lures, so you need to be on your guard even more.

#2. Abusing Faith in Social Networking Sites

Ever received a notice from a social media site that says “your account is undergoing routine maintenance. Please click to update your information.”? Consider this a huge red flag that you might be the target of a social engineer. Facebook, LinkedIn, Twitter – millions of people use these daily and have developed a certain amount of trust in the platform. Thus, when they receive an email that says something like this, they don’t think twice before clicking the link. That’s what a social engineer wants.


Social Engineering Attack Tactic #2 - Dumpster Diving

There’s a crime show episode where a murderer attempts to frame one of the detectives by going through his garbage. The murderer gathers a bite impression from a half-eaten apple, a sample of the detective’s blood from a Kleenex he used to staunch a nosebleed, and the detective’s saliva and fingerprints from a soda can. In this case, everything the detective threw away was used to frame him for a crime he didn’t commit.

The same principle can apply in this case – dumpster diving is when a hacker digs through the trash that an unsuspecting employee has thrown away and retrieves valuable information, like:

  • Junk mail: this can contain personal identification information (watch out for throwing away those credit card offers!).
  • Company Phone Lists/Org Charts: these offer the phone numbers and locations of various employees, which can make it much easier for the hacker to impersonate management-level team members and get the information they need.
  • Corporate Letterhead: these can be replicated by the hacker to fake official-looking correspondence.

Does your organization throw away, donate or sell any of your old computers? Hackers will also buy refurbished computers so that they can pull confidential information from the hard drives. Since hard drives are never fully erased (even when people believe they have deleted the information), it’s still possible for hackers to get the information they want from the discarded drives.


Social Engineering Attack Tactic #3 - 10° OF Separation

Social engineers have extraordinary patience. They’re clever and methodical. They won’t just go right after the CEO of a company, but will instead build a rapport with more accessible people in the organization, such as a guard at the gate, or an administrative assistant. They use this rapport to gather information about their ultimate target, who could be up to ten steps higher on the corporate ladder.

The hacker will begin by gathering any personal information they can about team members, and will use other “social cues” to build trust, or even masquerade as an employee of the company.

The strategies used by these social engineers are insidious, yet they’re also incredibly simple. Here are some things to be aware of:

  • Learning Industry Shorthand: hackers will study your industry’s jargon and acronyms so that they can build your trust faster by speaking a language you recognize.
  • Copying Your ‘hold’ Music: when the hacker calls you and is put on hold, they’ll record your ‘hold’ music. Then, when the hacker calls a potential victim, they’ll find a way to play the hold music. This tricks the victim into thinking the hacker is from your organization, and the music acts as a psychological cue that makes the victim think the hacker is trustworthy.
  • Spoofing Your Phone Number: hackers can make their number appear as though they’re calling from a phone number within your organization. That number shows up on the victim’s caller ID and makes it look as though the hacker is calling from an internal line from your organization. This makes the victim more likely to offer confidential information to the hacker, such as sharing a password over the phone.


How do I protect my organization from a social engineering attack?

As this post has shown, there is real potential for disaster when it comes to social engineering, and this is a reality that must be faced by all organizations today. But what can organizations like yours do to be proactive and protect your vulnerable employees?

We’ve provided a list of changes you can make and policies that you can implement that will help your organization stave off attack. However, in order for any of this to be effective, you need to remember that education is absolutely crucial. New employee training, regular threat assessments, updates to your policies, and company-wide reviews will all help to mitigate your risks.

#1. Clearly Articulate an Easy to Understand Policy that Includes:

  • Password Management:
    • Be sure you have rigorous standards for secure passwords.
    • Insist on password expiration, and ensure that employees change passwords regularly.
    • Ensure remote access authorization and accountability is enabled within your organization.
  • Two-Factor Authentication:
    • Rather than fixed passwords, use two-factor authentication when authenticating high-risk network services like VPNs.
  • Antivirus/Anti-phishing Defenses:
    • Be sure that you have the latest antivirus defenses in place. Although they’re not going to fully solve the problem, they’re a good start, and an extra layer of protection.
  • Change Management:
    • Have a familiar, well-documented change management process. This keeps employees from reacting off the cuff, and makes them less vulnerable to an attack that relies on a false sense of urgency.
  • Information Classification:
    • Make sure that your confidential information is clearly labeled and handled as such.
  • Document Destruction:
    • Don’t throw confidential information into the trash or recycling – make sure it’s shredded.  Be sure that any junk mail received doesn’t have confidential information on it/in it before you recycle it.
  • Physical Security:
    • Have controls like electronic security devices, visitor logs, requirements for escorting people on premises, and background checks, and ensure your security policy is comprehensive.

#2. Build a Security-Aware Culture

  • Awareness of Threats/Risky Behaviours:
    • Education is key. Make sure your employees understand the real-world damage that is caused by social engineers, and use examples from other companies to drive the message home.
  • Threat Recognition & Smart Decision-Making:
    • Social engineering attacks change so frequently, so foster a sensitivity to risk within your corporate culture, and be sure to give your employees the appropriate tools for addressing and reporting the threats they witness.
  • Embedded Security Awareness:
    • The “See Something/Say Something” anti-terrorism campaign is a great example of incorporating embedded security awareness into team members’ minds.  You need to build a culture where your employees feel safe and comfortable to report suspicious activity that they notice.


Let us help you protect your organization from a social engineering attack

Now it’s not a matter of if you have a security incident, but when. Our team of experts have worked with many organizations to help them implement an information security strategy. Contact us today or email us. We will be happy to run a complimentary cloud security assessment for you and discuss how you can improve your organization’s security policy.

This blog content is from an eBook “Protect your weakest security link – end users.” Download the eBook.

Published by ProServeIT May 1, 2019