Protecting sensitive data or critical systems is a top security priority for any organization. In the ever-evolving cyber landscape, employing the greatest and latest technical controls, whether it be the best firewalls, end-point security measures, or a Security Information and Event Management (SIEM)/Security Orchestration, Automation, and Response (SOAR) system, will not protect against the simplest cyber-attack — social engineering. That’s because all these controls do not consider the weakest link, the human factor.

“What is social engineering?” you might ask yourself. Social Engineering is a type of cyber attack that employs a disingenuous practice that intends to take advantage of human psychology to manipulate an individual. This includes downloading and installing malware, divulging confidential information, or performing actions that could compromise the security posture of an organization to allow a malicious actor to gain access.

Types of social engineering.

Malicious actors employ several different techniques when conducting their social engineering attacks.

Phishing: In this type of attack the malicious actor sends mass emails pretending to be from a reliable and trusted source in the hopes that users will click on links or download attached files. The end objective is to either conduct credential harvesting or install malware on systems that enable the malicious actor to gain access to internal networks.

Spear Phishing: Malicious actors target specific departments within the organization, such as the finance department, HR department, or even the IT department to gain access to a targeted company’s networks and/or data.

Whaling: This type of attack is a very targeted phishing attack targeting C-Suite individuals in a targeted organization such as the Chief Information Officer (CIO), Chief Information and Security Officer (CISO), Chief Financial Officer (CFO), Chief Marketing Officer (MCO) and/or Chief Executive Officer (CEO). These individuals usually have elevated account permissions which is a very lucrative target for malicious actors.

Smishing: This attack has the same objective as a phishing attack but is done via text messaging on a cell phone.

Vishing: This attack is conducted over the phone with the objective of having an individual divulge sensitive information that a malicious actor can then use to conduct a cyber attack.

Quishing: This attack involves posting a QR code that links to a malicious site where they will conduct credential harvesting or download malware onto the victim’s system.

Techniques used in social engineering.

When a malicious actor is crafting and conducting their social engineering attack, they employ several methods to try to trick the individual into clicking links or downloading attachments.

Authority: Malicious actors will craft their social engineering attacks and make it appear that it came from someone in a position of authority leading the targeted individual to comply with what was requested of them. Malicious actors will attempt to seem like they are coming from a well-known brand, bank, government agency, or supervisor.

Urgency: This method looks to use short turnaround requests such as approaching deadlines in hopes the individual will not fully inspect the email and download an attachment or click on an embedded malicious link.

Social proof: This method looks to make the individual feel like they are missing out on something based on seeing other individuals have already clicked it, downloaded, or bought something (ie: 3,000 people have already downloaded or clicked on something). This looks to exploit an individual’s need to belong to a social group or interact with other individuals.

Scarcity: This method looks to make the individual think there is a limited supply of something with the hopes they click on a link so they don’t miss out on something (i.e.: “There are only 150 left in stock, click now to get yours”).

Likeness/likeability: This method is usually done via vishing attacks where the malicious actors try to find common ground and shared interests to gain trust with the hope of gaining sensitive information.

Fear: This method uses threats or demands to intimidate an individual into conducting certain actions that will allow the malicious actor to gain access to internal networks or sensitive information.

How social engineering can impact businesses.

Now that we understand what social engineering is, you might be wondering how this could impact your business. Here are three ways that social engineering could have a significant impact on your business:

1. Introduction of malware into your network: Social engineering attacks are the primary method that malicious actors use to inject malware into a targeted network. This malware enables several objectives the malicious actor might have. The first is to go unnoticed and exfiltrate data that is, in turn, solid on the dark web to gain financial funding for further attacks. The second objective might be to conduct a ransomware attack where they encrypt all data and demand payment to get the de-encryption key.
2. Compromise of usernames and passwords: Social engineering attacks also trick individuals into visiting malicious websites that replicate legitimate sites, such as Facebook, X (Twitter), and financial institutions, to trick the individual into entering their usernames and passwords for these sites. Most individuals tend to use the same passwords or a variation of passwords for different accounts as well as corporate/work accounts. Once malicious actors can steal individual passwords, they will use them to either log onto corporate sites and/or networks or use a brute force attack to gain access.
3. Damage to business Reputation: Businesses are only successful if their customers have trust in them and believe their personal information will be protected. If a company falls victim to a social engineering attack that allows malicious actors to gain access to and steal sensitive data, customers will look to shift their business somewhere else that has not been the victim of a cyber-attack.

Combatting social engineering.

There are several things that an organization can implement into their security posture to help mitigate and combat against social engineering attacks, including:

• Cybersecurity awareness training: Probably the most important technique for fighting social engineering attacks is end-user training. Organizations should have a training program that informs end users of a social engineering attack, the many different forms they could take, and how to identify them. Additionally, organizations should have a process where individuals can alert their IT security department of the attack and enable the IT security personnel to see if other users are under the same attack.
• Protective DNS: Implementing a Protective DNS solution will add a layer of security for when end users fall victim to the social engineering attack. A Protective DNS solution will block users from visiting malicious sites when they click on embedded links. Additionally, a Protective DNS solution will block malware from communicating with a Command-and-Control (C2) server installed by downloading malicious files.
• Two-Factor Authentication/Multifactor Authentication (2FA/MFA): Even if malicious actors can gain access to an individual’s username and password, implementing 2FA/MFA adds a second layer of security that can mitigate the username/password compromise.

Protecting your organization from cyber threats.

In conclusion, the persistent threat of social engineering is a critical vulnerability that organizations must address. Organizations should prioritize a comprehensive cyber security awareness training program that empowers their employees with the knowledge to recognize and report social engineering attacks. In a well-developed cybersecurity awareness program, organizations should invest in protective DNS solutions that block employees from accessing malicious sites that are embedded in social engineering attacks.

To learn more about how Vercara can help you better protect your organization against social engineering attacks, visit our UltraDDR page.