Social Engineering Attacks: Definition, Detection, and Prevention

An employee receives an email at work asking them to share network login details. Because it’s from a company executive, they do. The problem: They just fell victim to a social engineering attack, and now the organization's data — or finances — are at risk.

Social engineering is a type of human risk that aims to trick people into sharing sensitive information that gives an attacker access to a system, physical space, or data. These attacks don’t stem from social media as some may think. Social media does, however, make it easier for attackers to gather personal details to create convincing social engineering attacks.

For businesses, social engineering attacks can be devastating. They’re the driving force behind advanced business email compromise (BEC). With the proper employee cybersecurity awareness training, however, organizations can reduce the risk and likelihood of these attacks.

What Is Social Engineering?

Social engineering is a psychological manipulation technique that coaxes victims into divulging sensitive information in order to gain access to systems, data, or physical spaces. Rather than an attacker searching for a software vulnerability to exploit, they exploit human risk. A hacker might fabricate a pretense to gain the trust of an individual and ultimately convince them to share access credentials to systems or an office space, or wire funds, for example. Social engineering attacks tend to target individuals who have special access to these assets.

Top Social Engineering Attack Techniques

Attackers use a variety of human-risk-inspired tactics to gain access to systems, data, and physical locations. The top social engineering attack techniques include:

• Baiting: Baiting attacks use promises of an item or good to trick users into disclosing their login details or downloading malware. Online, the bait might be an ad promising a free music download. In the physical world, it might be an infected flash drive left where an employee is likely to find it. The bait might contain malware or convince the victim to divulge a username and password.
• Scareware: This tactic manipulates victims with false alarms or fictitious threats. A pop-up might appear on the victim’s device that alerts them that their system is infected with malware. It prompts them to install software or visit a site that ultimately infects their device.
• Pretexting: Pretexting is a scam in which an attacker obtains information through a series of lies. The attacker typically impersonates someone in an authoritative role — an executive or law enforcement official, for example — in order to gather personal data or gain access to financial accounts.
• Phishing: Phishing scams target a victim via email, telephone, or text message by posing as a real figure to convince victims to disclose sensitive data. This might include bank or credit card details, usernames, and passwords.
• Spear phishing: Spear phishing is a targeted attack that aims to steal sensitive information via email from specific individuals or groups within an organization. In a spear phishing attack, hackers assume the identity of someone trusted — a coworker, customer, manager, or friend, for example. The attacker’s goal is to convince individuals to divulge information or perform actions that cause data loss, financial loss, or that otherwise compromise the network.
• Tailgating: Tailgating is when an attacker seeking entry into a restricted area follows behind an individual to gain access to that area. The attacker, for example, might dress as a delivery driver and carry packages, then wait for an employee to open the door. This could enable the attacker to bypass security measures.
• Watering hole: In a watering hole attack, hackers aim to compromise a specific group of users by injecting malicious code into a website that members of the group are believed to visit. The goal is to infect the targeted users’ computers to gain access to the network at their workplace.
• Whaling: This type of phishing attack targets high-profile employees, such as the CEO or CFO, in an attempt to steal information or money from the company. The attacker might send the victim a highly customized and personalized email that appears to be from a trusted source, making the scam difficult to detect. The goal is often to manipulate the target into authorizing high-value money transfers to the attackers.

Importance of Human Risk Assessment and Management

Social engineering is a difficult human risk to protect against because the tactics that attackers use prey on an individuals’ reasoning. When employees haven’t been trained to recognize social engineering attacks, the risk of falling victim rises. Because social engineering training plays such a critical role in minimizing human risk, many organizations take human risk assessment and management very seriously.

Social engineering training, which is often a part of a larger human risk management and security awareness program, gives employees the tools they need to recognize these types of human risk, which helps groom more discerning, responsible employees who are better equipped to protect both themselves and their organization.

What are the Potential Repercussions of a Successful Social Engineering Attack?

Social engineering is an exceptionally effective form of cybercrime. The repercussions from these common attacks can be significant. Because most social engineering attacks are driven by financial gain, organizations stand to suffer considerable financial loss.

Companies might also experience a major business disruption — advanced business email compromise, loss of productivity, a decline in employee morale, and downtime as the organization recovers. The process of recovering from a social engineering attack can carry a hefty price tag: Often, organizations must hire an incident response team, purchase security software to help prevent future human risk and retrain employees. Moreover, businesses that fall victim to a social engineering attacks could suffer damage to their reputation if customers no longer feel confident that the organization can protect itself.

9 Tips to Defend Against Social Engineering Attacks

As social engineering attacks become more sophisticated, they become more difficult to prevent. Nevertheless, there are important actions that organizations can take to defend against social engineering attacks:

1. Be suspicious of unsolicited messages and calls asking about other employees or business-related information.
2. Never provide personal information or information about your company unless you are sure the person is authorized to have it.
3. Don’t type sensitive information into a web page before checking the security of the website.
4. If you are unsure whether an email request is real, contact the company directly — through a separate channel — to verify it. 
5. Train employees to recognize the signs of social engineering, human risk, and advanced business email compromise.
6. Implement network segmentation as well as multifactor authentication to ensure that only people who need access to a system have it.
7. Deploy advanced email filters, which can detect scams and filter fake emails before they’re delivered to employees.
8. Install and maintain antivirus software and firewalls.
9. Keep all software up to date — this is more critical than most IT staff realize and, therefore, is often overlooked.

What Should an Effective Social Engineering Training Include?

Effective social engineering awareness training should include teaching employees about the most common social engineering tactics, and provide them with the tools and knowledge they need to recognize threats and prevent them from happening.

It should also make them aware of the potential damage and impact of a successful social engineering attack, such as financial loss, business disruption, reputational damage, loss of productivity, and downtime amongst others.

Three Tips to Make Sure Employee Awareness Training Is Effective

Make learners look forward to, rather than dread awareness training. With more than 100 humor-driven high quality video modules, developed by TV and film professionals, Mimecast Awareness Training never gets boring.

Engaging content captures attention and drives home essential learning through humor. Not only do employees like Mimecast Awareness Training, they can't wait to find out what happens in the next episode. 

Educate your employees by using a persistent, non-intrusive methodology. Rather than overwhelming your employees with a mountain of information, Mimecast Awareness Training changes behavior, improves knowledge, and helps employees retain information in sessions that last no longer than three to five minutes each month.

The Mimecast Human Risk Management Platform

In response to customer and market demand for a more effective means of mitigating risk brought on by social engineering attacks and other employee mistakes and user errors, Mimecast has charted a new path forward by developing a connected HRM platform. The platform will provide unprecedented visibility into an organization’s risk profile, scoring users by risk and allowing security teams to educate and protect the riskiest part of their employee base.

How Mimecast Can Help

The Mimecast HRM Platform has been designed by having human beings at the center of everything we do, aligning key protection and data controls to offer the most comprehensive approach to human risk management. With the Mimecast HRM Platform, you get a single solution that brings multiple products together to help you protect collaboration, educate employees, and detect insider risk. This is the connected human risk management platform organizations need.

Mimecast is pioneering human risk management. The Mimecast HRM Platform and Mimecast Engage technology are the latest innovations in our mission to advance security and transform the way organizations manage and mitigate risk. By integrating security into the very fabric of human interaction, we are setting a new standard for protecting businesses in an increasingly complex digital world.

The Bottom Line

Increasing knowledge through social engineering awareness training is one of the most effective ways to reduce the risk of a social engineering attack and stop advanced business email compromise. Leading security awareness training solutions coupled with the Mimecast HRM Platform can address social engineering and other human-risk-inspired attacks.

**This blog was originally published on June 21, 2021.