Whereas traditional hacking exploits weaknesses in software or hardware, social engineering exploits weaknesses in the human psyche. By preying on people’s habits, fears, or complacency, attackers can gain access to almost any system, no matter how sensitive or well-protected. The ubiquity of personal mobile devices in the workplace has only exacerbated the threat. If a user falls victim to a social engineering attempt on their personal device, it can serve as a key to your organization’s cloud resources and create an opportunity for attackers to steal sensitive corporate data. To prevent social engineering in your organization, you’ll need every employee to know both the risks and the countermeasures.
The good news is that users can thwart most social engineering attempts by keeping a cool head and using common sense. A skeptical, proactive, and well-informed employee is much less likely to fall for familiar tricks. By educating your staff and implementing some cybersecurity best practices, you can make sure that your organization’s data remains exactly where it belongs.
Understanding the threat: How social engineering works
“Social engineering” refers to a type of attack that targets a person rather than an electronic system. Through deception, coercion, or manipulation, a threat actor pressures a victim to give up valuable data like credentials or a bank account number. With that data, the attacker can access a restricted system, steal money, disseminate sensitive information, or violate the victim’s privacy in any number of other ways. Phishing, where an attacker pretends to be a trusted contact, is a clear example of social engineering.
While social engineering may use sophisticated technology, the principles underlying the scam are at least 200 years old. At its core, social engineering is a confidence trick. And it uses the same elements as every other confidence trick in human history:
- Creating a sense of urgency: “Enter your username and password now, or we’ll close your account tomorrow.”
- Appealing to authority: “The local police department will seize your car unless you pay this traffic ticket.”
- Exploiting curiosity or fear: “Click here to join a racy video chat,” or “I recorded your racy video chat, but you can pay me to keep quiet.”
- Impersonating a trusted entity: “This is Mom. My phone is dead, my car broke down, and I need money to pay the mechanic.”
If you take a moment to think through these examples, it’s possible to spot the holes in them. But social engineering plays on our emotions, in the hopes we won’t look for those holes in the first place. When an outside force threatens our information, our possessions, our privacy, or — worst of all — our loved ones, we don’t always use our best judgment. That’s why staying calm and rational is the most consistent way to prevent social engineering.
Remember that attackers can also spoof legitimate email addresses, social media accounts, and phone numbers, which makes their deceptions even harder to see through.
7 vital strategies to combat social engineering threats
1. Educate your team on social engineering tactics
To prevent social engineering, employees must adopt a skeptical mindset. Most social engineering attempts have red flags, which can be recognized once you know to look for them. Suppose an employee gets an email that appears to be from a trusted organization but is full of spelling errors, errant capitalization, and broken links. It also has an urgent call to action: “Verify your username and password within 24 hours, or we’ll close your account.” This should set off alarm bells. Poor spelling, awkward phrasing, sloppy hyperlinking, direct requests for passwords, and ticking clocks are all hallmarks of a social engineering attempt.
Employees may receive messages from an “email provider” claiming that a login from a remote part of the globe has triggered their two-factor authentication (2FA) protocols. A representative from a “bank” may request their name, address, and account number. A “friend on social media” might ask them to click on a suspicious-looking URL. These are all common scams — but they’re common because they work.
Suppose a staff member receives a fraudulent 2FA notification. Rather than clicking a link within the email or replying to it, the employee should open a new browser window and visit the email provider’s actual website. (If they know the provider’s URL, they should type it manually to avoid any potential misdirection.) From there, they should check their account history to see whether any errant login attempts actually occurred. Usually, they won’t find anything out of the ordinary.
2. Implement strong password policies and two-factor authentication
Employees should change their passwords for both their work accounts and personal accounts frequently. They should also close accounts they no longer use, especially if the passwords associated with them are used anywhere else. New passwords should be at least 16 characters long and contain lower-case letters, capital letters, numbers, and symbols. You could also employ a password manager, which can automatically generate complex passwords and store them securely.
Two-factor authentication is also an excellent first line of defense if a threat actor gains access to an employee’s credentials. Authentication applications are more secure than SMS codes, but either one is much better than nothing.
3. Encourage reporting of suspicious activities
If an employee fends off a social engineering attack but doesn’t tell anyone about it, they’ve only done half their job. Reporting suspicious emails, phone calls, and text messages helps your security team identify where attacks are coming from and implement better safeguards. Many email clients offer automated tools for reporting phishing, but even just forwarding a suspicious message to the IT or security team can be an effective first step.
4. Regularly update and patch systems
Keeping your electronic systems up to date will not, in and of itself, prevent social engineering attacks. However, social engineering is often a first volley, followed by measures like ransomware.
Ensure that your organization’s software is patched and your hardware’s firmware is up to date. Set both of them to update automatically when new patches are available. If a program or device is deprecated, replace it ASAP. Once threat actors discover a vulnerability in an older system, it’s only a matter of time until they exploit it.
5. Employ advanced email filtering solutions
While threat actors sometimes use sophisticated techniques to spoof email addresses, phishing attempts often come from disposable email addresses and shady domains. One common trick for phishing office workers is to create an email address with a coworker’s name — but even a cursory glance reveals that the host is completely different.
This is one area where email filtering software can do the heavy lifting. It can block a lot of phishing messages right off the bat and flag any marginal cases for employees to review themselves.
6. Establish strict access controls and monitoring
Not every employee in your organization needs access to every single piece of data on your servers. From a cybersecurity standpoint, keeping things compartmentalized also limits how much damage an attacker could do.
Using continuous conditional access means you can exert granular control over which users and devices can access your systems. If a user tries to connect from unsecured Wi-Fi at a coffee shop, for example, their access to sensitive data could be limited.
You can also monitor your employees’ behavior with user and entity behavior analytics (UEBA). This establishes how users interact with company data on a daily basis, and flags any suspicious deviations.
7. Keep up with the latest threat intelligence
Social engineering keeps pace with changing technology. So should you. Take some time each week to read up on the latest threats and countermeasures in cybersecurity. This will help you understand new attack vectors so that you can update your security protocols accordingly. Lookout Threat Intelligence is a great place to start.
Real-world examples of social engineering attacks
Large organizations with hundreds of employees make tempting targets for social engineering attacks. In 2022, the cloud communications company Twilio suffered a data breach after an SMS phishing attack from a group called Scattered Spider. The attackers used sophisticated social engineering tactics to steal credentials and gain access to Twilio’s customer data.
Mitigating the social engineering threat
While social engineering represents a real threat to data security and privacy, there are effective ways to deal with the problem. You can prevent the vast majority of social engineering attacks by educating employees, keeping your hardware and software up to date, and staying abreast of cybersecurity news.
Lookout is a valuable resource for analyzing current trends in cybersecurity. Download the Lookout Global State of Mobile Phishing Report to learn how social engineering has evolved over the past few years, and how both personal and company-issued devices can be vectors for cyber attacks. Threat actors have refined their social engineering methods and become more sophisticated — but with the right tools at your disposal, you can develop even more effective countermeasures.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
Global State of Mobile Phishing Report (Free Report)
Discover the alarming rise in mobile phishing targeting U.S. public sector. Safeguard your agency with insights from our comprehensive threat report. Download now!