More than a pop culture slogan, it's a mantra enterprises need to impress upon employees. Social engineering, after all, often begins with an appeal to trust or to help someone else. And despite our best intentions to help our fellow man, encouraging healthy doubt is only one component of a strong strategy to prevent and protect against social engineering attacks.
Social engineers aim to gain their victims' trust while appearing friendly and unassuming. Whether making contact in person, by phone, or via email or other business correspondence, they might pose as a fellow employee, a past employee, or a representative of a vendor or contractor.
In voice phishing, or "vishing," they might mask their caller ID or use a spoof number so that their call appears to be coming from within the same office complex. In such attacks against companies, the attackers might pretend to be IT support or executive-level end users.
The best social engineers will also take the time to do their research. Using social networks and information available online, they will gain access to personal details that can make their pitch more convincing. That pic of your dog you posted on Instagram? Yep, it could be used against you. By gleaning the target's interests and habits from social media, for instance, a fraudster can tailor an email to specifically appeal to that target and increase his or her chances of email opening and link clicking.
A malicious social engineer doesn't stop at the individual; he'll also familiarize himself with the target company's procedures. Arming himself with an understanding of your way of doing things can bolster him credibility.
This could even extend to a bad actor putting your employee (the targeted victim) on hold to listen to the very same hold music your company uses, which has been recorded in advance to help psychologically trigger a sense of familiarity. A good social engineer has plenty of tricks like this up his sleeve.
As social engineering attacks become more common, they also grow increasingly sophisticated. Every business — from SMB to enterprise — needs to devise a strategy to protect against this form of psychological manipulation.
Only 3% of malware Symantec Security encounters try to exploit technical weaknesses. The remaining 97% tries to trick a user through some type of social engineering. That's a huge risk stemming from the people under your own roof.
Social engineering attacks can't be prevented with technology alone. That's why the best social engineering strategy enhances the company through security awareness training. Your humans are, regrettably, your weakest link. Thus effective training is an ongoing effort to keep security a top concern for all employees.
Employees need training on several fronts. First, to address complacency; anyone who thinks, "that will never happen here" is a sitting target for the highly motivated and creative criminals out there.
Next, train employees to recognize social engineering approaches and to stop themselves before they take a potentially dangerous action such as:
You know the saying, "fool me once, shame on you. Fool me twice, shame on me." You don't want your employees to be fooled, but you also don't want to rely on shame to get them to keep their guards up.
In training and testing, focus on successes rather than failures. Sharing accolades when someone in the company immediately warns IT of a suspicious email is more likely to foster employee support and build confidence faster than calling out regrettable mistakes.
At the same time, don't let your employees rest on their laurels. Yes, you want to start out small with social engineering training and testing, but plan to go bigger and get more challenging the more comfortable they become with the learning process.
By varying the pretexts of the social engineering and amplifying complexity over time, you can effectively educate employees on different attack vectors and help the company identify opportunities for adding additional technical controls to protect against real attacks.
Revisit your processes regularly. Are there places you can institute security double checks?
Common social engineering attacks rely on communications that create a sense of urgency or fear. Uncomfortable with these negative emotions, the victim is more likely to disclose information, download a malicious file, or enable access to sensitive data or systems without thinking first.
Encourage people to take the time to:
Bad actors are forever formulating new approaches to social engineering. You can keep your defenses up to date by using a third-party like RedTeam Security to test your people and help correct risky behaviors. In our testing, we measure progress in degrees of failure. In other words, all clients fail. We measure progress through repeated testing and failure rate monitoring. To be fully effective, it takes training, testing, and training adaptation to address testing results.
We can customize testing and training to your particular needs, from attempting to get around or through endpoint protection systems to trying to gain physical access to your premises with the "help" of a too-friendly individual on your staff. Protecting hardware and software alone isn't sufficient. A solid security plan includes educating everyone in your employ about social engineering best practices, too.
Schedule your consultation now and chat one-on-one with a RedTeam Security expert, risk-free. Whether or not we decide to work together, we can help you get a clearer picture of where there might be holes in your defenses and how you can go about shoring them up.