Threat Vector: Social Engineering

Help your users help you protect data.

Social engineering is one of the most prevalent ways a malicious actor can gain access to your data because of how easy it is. Phishing emails are so common that they are the initial cause for 80-90% of security incidents. It only takes one user clicking on something that they believe is real to cause a breach in your organization.

In this blog we will discuss common categories of social engineering attacks and how they trick users into doing something malicious for them. We will also discuss potential mitigations that can be used to reduce the chances of a user falling for a social engineering attack.

Methods of Social Engineering

There are many avenues that malicious actors can use for social engineering. Some organizations only focus on the main social engineering avenues like email, but there are many others that could be used to trick your users. The following is a list of examples:

• Email
• Phone
• Text/Instant Message
• Fake Web Pages
• Social Media
• Physical Mail
• Legacy communication methods like Fax

The mitigation for the different types of social engineering approaches is to remind users that social engineering can come from any of their communication methods. Instead of centering user training around the most common methods, find a way to make it clear to the user that malicious actors will use any communication method.

Impersonating IT Staff

Even if a user is aware of all the ways they could be contacted by someone attempting social engineering, they will still need the ability to discern which communications are real. One of the most common roles to impersonate is an IT person that is claiming to help them with a problem in their IT environment. They use this false identity to get information like a user’s password or have them click on a malicious link.

This role impersonation can be mitigated by having users follow procedures when interacting with IT staff and 3rd party technical support. For example, an organization may require that the user has a ticket in the company ticketing system before they follow the directions of an IT person they are in contact with.

Impersonating Upper Management

Pretending to be a high-ranking manager or executive within an organization is another way users can be tricked into taking a potentially malicious action. Their livelihood and chances at advancement are both dependent on how management views them, which is why some employees would not hesitate to follow the orders of someone claiming to be management.

The mitigation for this impersonation is to have clearly defined company communication channels and standards so that employees will be able to tell if a message from someone claiming to be management is real. There are also some basic identification techniques users can be taught like recognizing legitimate internal accounts and the domains that they could be sent from.

Impersonating A Government Official

Pretending to be someone from an important government organization is a quick way to trick a user into doing what the malicious actor wants. Many users are unaware of what government agencies do and would be intimidated if a message functionally commanding them to do something was found in one of their communication channels.

The mitigation for this impersonation is to give users training to help identify what a legitimate government communication would look like. If they can identify features like correct spelling, the “.gov” domain, or googling the name and function of a government organization, they will significantly reduce their chances of doing something malicious.

Impersonating a Trusted 3rd Party

This is one of the trickiest types of impersonations because larger organizations may have 1,000s of 3rd parties they interact with and no way of training their users to identify all of them. A clever social engineer could find many opportunities to trick users in an organization just by researching who they work with.

A mitigation option for this impersonation is to have business process owners help with creating department-specific security training. The person drafting the security training content could leave a fill-in-the-blank space for the business process owner where they could fill in what legitimate communications from a 3rd party that they work with would look like and how to tell if it is legitimately that 3rd party.

Making User Training Engaging

Keeping users in the organization engaged during security training is a challenge, so much so that some organizations have “users ignoring security training” as a line item in their risk ledger. For various reasons users within the organization may not be paying attention during security training, and it is important for security admins to try to understand why.

The mitigation for this risk is to update security training content so that it is relatable, engaging to users in the organization. Security admins can start by implementing conventional methods for keeping training engaging like using visuals, relating content to the audience, and having the audience interact with the presentation. The content can be further refined by getting input from the audience so that it can be improved for the next training session.

We will continue to share best practices and lessons learned in future posts in the threat vector series. Effective training and awareness will help keep the data in your organization protected.

In closing, consider these three questions when preparing for social engineering in your organization:

1. Do our users understand the avenues that social engineering can be delivered through?
2. Is there a way we could make it easier for users to tell the real identity of someone that is contacting them?
3. Do we have engaging and effective content to make sure that our end users are paying attention during user training?