Social engineering is one of the most prevalent forms of cyberattacks today. With most of our lives now taking place online, the risk of social engineering attacks increases every day: just in 2024 so far, more than 80% of all cyber attacks in the UK were phishing attacks, followed by impersonation (pretexting). In comparison, just around 14% of the cyberattacks and breaches were caused by malware.
Social engineering attacks can have devastating consequences, ranging from stolen money to stolen identity or serious security breaches with millions of leaked data points and compromised systems. It is crucial to be able to recognize when you’re under a social engineering attack and how to respond to prevent serious damage effectively.
In this article, you’ll find detailed explanations of what social engineering is and how it works, and suggestions on how to avoid social engineering attacks both on an individual and organizational level.
Understanding social engineering
Broadly speaking, social engineering is a way to influence attitudes and behaviors. It involves various social skills and techniques used to talk someone into revealing information or performing certain actions. However, in different contexts, social engineering may mean different things. Here, I’m talking about social engineering in the context of information security.
What is social engineering?
In the context of information security, social engineering is first and foremost a psychological manipulation tactic. Usually, someone may use social engineering attacks to either:
- get information on and/or access to IT systems with a further attack goal in mind. For example, someone may pretend to be a customer support agent via a phone or video call to get the target to hand over control of their device to infect it with malware. These attacks can happen both in-person and online.
- use technologies in combination with manipulation techniques to achieve other goals, such as phishing via email or sms messages to obtain banking details, social security numbers, and other information to steal money and identities. These attacks are usually carried out online, not in person.
Types of social engineering attacks
There are many types of social engineering attacks, some more prevalent than others.
Phishing
Phishing involves both social engineering and deception to lure unsuspecting victims into revealing sensitive information such as bank details, credentials, and others. The most common phishing attacks are in the shape of spam emails, messages, or websites that appear as legitimate sources. For example, it may look like a bank, a social media site, a delivery service, and others. The messages usually appear urgent but are quite generic at the same time.
There are levels to phishing attacks: some can be more elaborate and sophisticated. For example, in a personalized phishing attack called spear phishing, an attacker may impersonate a specific person you might know or use other publicly available information about the victim to make an attack more personal. Spear phishing tends to be more difficult to identify and has a much higher success rate than regular phishing attacks.
Pretexting
This social engineering technique involves using a made-up scenario – a pretext – to gain the trust of the victim and lure them into revealing information. Pretexting usually involves research on the attacker’s part. For example, they might use your personal information for impersonation, or offer to provide credentials proving the legitimacy of their pretext. An example of such an attack may be someone posing as a customer support agent or a bank employee to get you to reveal personal information or give access to devices and security systems.
Scareware
Scareware is a type of attack that uses false threats, alarms, or offers that ask you to take urgent action. For example, you might get a pop-up saying your device has been infected with malware, and a button prompting you to install antivirus software, which will often be infected with actual malware.
Baiting
Baiting attacks, as the name suggests, involve the use of baits to pique the victim’s curiosity. In the physical world, such baits may typically be malware-infected USB flash drives left in visible areas and similar gadgets that could infect devices with malware. Online, baiting takes the form of exciting advertisements that lead to malicious websites or encourage users to install malware-infected applications.
Quid pro quo
Quid pro quo means “something for something” in Latin, and as the name suggests, these attacks are usually carried out by people offering compensation in exchange for information. Someone might pretend to be a researcher asking you to participate in a survey in exchange for money.
Water holing
Water-holing attacks rely on the trust that users have in websites that they regularly visit. An attacker may observe which websites an organization or an individual visits most often, and infect them with malware or malicious links. Once a victim clicks on a link or otherwise engages with the infected site, their device is infected and the attacker gains access to a whole company system. This social engineering strategy has been used to get into systems that were considered very secure.
Why is social engineering effective?
The success of social engineering lies in the fact that humans are error-prone creatures and therefore fall for manipulative tactics. According to a social engineering attacks survey from 2019, “Social-based attacks are performed through relationships with the victims to play on their psychology and emotion. [They] are the most dangerous and successful [as] they involve human interactions.” These attacks rely on the human factor rather than the technical vulnerabilities of systems. It is easier to exploit human weaknesses such as trust, a sense of safety, and the tendency to help others or seek the most convenient path.
Humans tend to make more mistakes when they are distracted, feel pressured, rushed, or sympathetic. That’s why attacks that call for urgent action (such as flashing warnings about an infected device) or ask for sympathy (like fake fundraisers or someone you may know asking for help) tend to have high success rates.
Additionally, social engineering attacks are also harder to detect and prevent. They don’t leave technical traces, and most prevention methods rely on continuous training. Lack of technical or general knowledge is another issue: someone unfamiliar with malware or phishing will fall for an attack more easily. Training someone to recognize and resist social engineering attacks is more challenging than implementing technical security measures.
How to prevent social engineering attacks
Preventing social engineering attacks is often rather difficult and technical solutions are not always the answer. Successful prevention relies almost solely on training individuals to recognize the signs of a social engineering attack and to resist and report it. Therefore, the risk of human error never really goes away.
But this doesn’t mean that social engineering attacks can’t be prevented. Teaching users the warning signs and how to respond is the first step in protecting yourself, your company, and your information from malicious actors.
Recognizing warning signs
All social engineering attempts have a few things in common. Here are some of the most common signs that may mean that someone is attempting a social engineering attack:
Unexpected phone calls. If you get a call you weren’t expecting, especially if the caller says they’re from a bank, insurance, or an IT company, chances are it’s a phishing attempt. Do not give any personal details and avoid answering with affirmatives to any questions.
Suspicious email sender’s address. If something feels off about an email you got, always check the sender’s email address. If it is contrary to the email sender’s name and the subject line of the email, contains numbers or symbols, and generally looks suspicious, it may be a spam email.
Unusual requests from someone that you may know. If the CEO of your company contacts you with urgent requests for money, credentials, documents, and other information even though they have never done that before, it could be a phishing attempt. Always confirm with the person you may know if it’s them who sent the email or the message.
Urgent requests or demands. Phishing attempts always have a sense of urgency to them, such as “pay now” or “act quickly,” and similar, designed to make you feel pressured, distracted, and overwhelmed. Do not take immediate action and try to calmly assess the situation. Legitimate organizations will communicate in ways that are easy to understand, neutral in tone and do not evoke feelings of urgency or fear.
Unexpected links or attachments. Do not open attachments or click on links in emails you were not expecting. They could be malicious, and lead to malicious sites. Before clicking on links, hover your cursor over the text, and if the links do not match the text, it may be spoofed. Scammers may also shorten the URLs to hide the true link destination.
Unusual layout and spelling. Incorrect grammar and spelling, strange sentence structure, and inconsistent formatting are strong indicators of a phishing attempt. Legitimate organizations have dedicated staff to produce, proofread, and approve any correspondence, including emails, messages, newsletters, and others.
Generic greetings/signature. Greetings that don’t include your name, such as “Sir/Maam,” and signatures without contact information (or contact information that does not make sense) are strong indicators of a phishing email. Legitimate organizations such as banks, insurance companies, parcel delivery services, and others, will include personal greetings and contact information.
Offers that seem too good to be true. If an offer seems too good to be true, such as large amounts of money for seemingly inconspicuous information, it could be a phishing attempt.
Requests on social media from someone you don’t recognize. Bad actors take to social media to impersonate business and influencer accounts. Be wary of such messages, especially if it’s from someone you don’t know.
Defensive measures against social engineering attacks
Anyone could fall victim to a social engineering attack, as they’re designed to take advantage of human vulnerabilities. The best way to defend against such attacks is to operate on a “zero trust” mindset: do not trust anyone and always double-check the sources, messages, attachments, and others. However, there still are some technical and interpersonal defensive measures you can take to lower the risk of social engineering.
Enabling spam filters
Most email services these days offer spam filters, which flag suspicious emails as such, warn you before opening a suspicious file or email, or send emails previously marked as spam straight to the trash folders. However, do not rely on spam filters solely and still exercise critical thinking, suspicion, and a zero-trust mindset.
Implementing multi-factor authentication
Multi-factor authentication, specifically phishing-resistant MFA, is crucial in preventing unauthorized logins, security breaches, and sensitive data theft. Credentials such as passwords, emails, and usernames can still be acquired via social engineering attacks. The requirement of an additional step, such as biometric authentication, security questions, one-time passwords, and/or codes significantly lowers the risk of breaches even if the bad actors already have your credentials.
Training employees on awareness
As social engineering relies on exploiting human errors and vulnerabilities, regular organization-level training is crucial to ensure the safety of your employees and data. All your employees should be informed about and taught to use defensive measures such as multi-factor authentication, the importance of strong passwords, and the use of firewalls. Teaching them to recognize and respond to signs of social engineering will significantly improve the security of your organization where technical defense measures fall short.
How to protect yourself from social engineering
There are some steps you can personally take to protect yourself from social engineering attacks:
- Operate under the zero-trust mindset. Always assume that external communications could be a social engineering attempt, and proceed with caution, looking for clear undeniable evidence that the message is legitimate.
- Familiarize yourself with signs of social engineering. Anyone could fall victim to social engineering, especially people who think they are immune to such manipulation. Take care of yourself by educating yourself on the warning signs and prevention measures.
- Use technical defense measures, such as strong passwords, multi-factor authentication, firewalls, spam filters, and others.
- Avoid sharing personal information online. This personal information could at any point be used to manipulate you. Monitor your social media profiles – keep them private and share access with only the people you know personally. Keep your professional and personal accounts separate. Do not send sensitive personal information over email, and don’t respond to emails that request this information.
Organizational strategies
Organization-level strategies for social engineering prevention and defense may differ from those that individuals can employ, but still rely on roughly the same steps. Any company must develop a security awareness program that teaches employees to recognize signs of social engineering, to implement necessary security measures, and how to respond in case of a successful attack. Additional measures such as an incident response plan and regular security audits will help keep your organization secure in the long run.
Developing a security awareness program
The most important thing is regular training: evidence shows that regular, continuous training and testing improves employees’ security instincts, reduces their susceptibility to social engineering attacks, and generally promotes secure behavior.
There are many ways to develop a security awareness program, from classic PowerPoint sessions to gamified contests. Here are some examples of security training programs that you can implement in your organization:
- Newsletters and training videos as regular reminders
- Gamified online teaching material and “Spot-the-Phish” contests, with awards to incentivize participation
- Monthly phishing simulation exercises, such as deliberately sending phishing emails, followed up by personal training for employees who continuously fail the tests.
- Different types of training that correspond with the time of the year – from Christmas scams to tax-related scams during tax season, and so on.
- Specialized training for different teams and roles about social engineering tactics that they may be particularly vulnerable to.
Some more general tips to keep in mind when developing a user security awareness program:
- Make the communication and process simple, and draft your security policies in a language that everyone can understand. Your employees may have varied knowledge and experience with security, as well as different competencies and enthusiasm.
- Simplify security policies so that they don’t interfere with existing work processes and demands and instead complement them.
- Spread out the training and keep it regular. Hours of training once a year may be draining, but half an hour every month will keep the training fresh, interesting, and easier to attend and complete.
- Experiment with training format – you can see some examples above.
- Use technical defenses, such as password managers with varying levels of access, firewalls, multi-factor authentication, regular security audits, and others.
Incident response plans
Even if you take all the necessary measures and train your employees on the risks of social engineering attacks, the chances of an incident are never zero. Therefore, it is crucial to develop several comprehensive incident response plans, containing steps on how to deal with whatever damage was done.
These plans may depend on specific situations and therefore require different nuances, but some main things should be considered for any scenario:
- A trained incident response team comprised of individuals with clear roles and necessary expertise, such as security systems, technology, communications, legal, and others. The team should be responsible for assessing the impact, containing the incident, effectively communicating with affected parties, and preventing a repeat.
- Clear incident documentation and reporting procedures. With these procedures in place, you can deal with an incident efficiently while minimizing the damage. Reporting and documentation are also often a legal requirement.
- Effective communication. Having a communication plan in place will help minimize the damage and restore operations
- Post-incident reports and analysis. This step will help identify weaknesses and take according measures to prevent a recurrence of an attack.
Conclusion
Anyone could fall victim to a social engineering attack – even those who are convinced they’re immune, even organizations with the best security systems. Social engineering is essentially psychological manipulation and its effectiveness lies in our very human weaknesses.
Our inherent wish to trust and to help, our tendencies to seek out conveniences, and our susceptibility to exploitation when we’re distracted, threatened, and under pressure – these are all reasons why technical security systems are not enough to prevent an attack that was designed to capitalize on human error rather than system failures.
Social engineering attacks, if successfully carried out, may have devastating consequences. An individual may get their money or identity stolen. Organizations may suffer from serious security breaches, monetary loss, and reputation damage. It is therefore crucial to implement adequate preventative measures.
I encourage you to familiarize yourself with the strategies I discussed and take action to ensure the security of your personal and professional life. Regular employee training has been proven to be the most effective way to raise security risk awareness within organizations, together with technical security measures such as multi-factor authentication, spam filters, and antivirus software.
Your email address will not be published. Required fields are markedmarked