Cyber attacks often involve social engineering
Social engineering is the most significant risk in the cyber threat landscape today. Over 98% of cyber attacks rely on social engineering target staff as the primary attack vector. But you knew that.
You also know that “social engineering” can refer to various activities which threat actors use to trick end-users into providing sensitive information like login credentials. Social engineering has been around forever and has proven to be one of the easiest ways for Threat Actors to access our systems. Manipulating human beings for access works, and believe it or not, all attacks are based on just four simple principles: Trust, Authority, Intimidation and Scarcity.
Given the prevalence of this risk and its potential impact on your businesses, it is critical to train staff to spot a potential social engineering attack, and it’s easier than you think. To begin with, all social engineering attacks share a common mechanism: an exchange of information. Any form of communication (written or verbal) in which the exchange of information requested may potentially be a social engineering attack.
You might ask…Can this be any form of communication? Yes, such as filling out a form on a website or social media platform. Can it involve speaking to someone on a telephone or responding to an SMS? Oh yeah. What about logging into an application? Sure. Would it also include taking a survey at the tube station? Absolutely.
Getting staff to understand that they must be vigilant when requested to provide information is the key to your cyber security awareness training on social engineering. From there, you should train them to look for the following five flags typically associated with a social engineering attack:
5 signs of social engineering attacks
1. The feeling of urgency
The communication will make you feel like you must act now or else. For example, an email could be saying, “give us your details, and you get a £500 voucher card.” If a message heightens an emotion making you rush to respond, it may be a social engineering attack. Quick Tip: To protect against this, wait 90 seconds before responding to anything and then go over the message again, to see if it still seems legitimate.
2. The questions
The questions asked can sometimes be a dead giveaway that it’s a social engineering attack. This can be either through the number of questions asked or the type of questions. For example, a ‘salesperson’ you don’t know might ask questions about where data is stored and what security you have. In that case, they could be a malicious attacker posing as a salesman. Also, if the questions are about your password or ‘memorable answers’ — this is a red flag that you are being targeted. Quick Tip: A control to protect against this is always a question IF someone should be given the answer to their question.
3. Vague when identifying themselves
A clear sign is an absence of specific and reliable information on who makes the request. If they give their name and business, but the evidence cannot be verified immediately, this could be a sign of an attack. Quick Tip: So when “Jack the IT guy” calls, make sure you can verify the details given to you and confirm their identity. This can partly be done with the next section.
4. Bogus contact details
If someone provides details that cannot be contacted or do not exist, this is a sign that someone is trying to social engineer you. An example is if Jake calls from a ‘personal number’ and insists not to use the official number for their department because the system is “down”. This could be an attacker covering up their real intentions to look legitimate, meaning if you call the number, someone else will likely be on the receiving end. Quick Tip: To check this, insist on calling them back on the official contact details available online (or within your business).
5. Incorrect personal details
Incorrect personal details are most prominent in emails but have also been used in other forms of communication such as phone calls. An attacker will send a message which looks personally addressed to the target, but the information about you is incorrect. Quick Tip: So, if you receive a message like “Hey Jen23, I am a friend of Jake in IT” be sceptical. Social engineers use information about their targets to make them feel a connection so that they are more willing to respond.
There you go: these are the five simple signs of a possible social engineer attack to include in your staff’s cyber security awareness training content. You can discuss each example in greater depth than we have given you here and you will significantly reduce the risk of a social engineering attack on your business.
Risk Crew can help with social engineering attack simulations
Simulated exercises or attacks can be implemented in conjunction with staff awareness training to measure awareness. Risk Crew’s, CREST accredited testing engineers are experts at social engineering testing.
The service results in a detailed report that:
- Benchmarks the security awareness level of your staff
- Identifies weaknesses in operational and business processes that could be exploited for unauthorised access
- Spotlights vulnerabilities you may have overlooked within your people, process and policies
- Gives invaluable insight into the genuine level of security your information security risk management programme provides
Want to learn more or need more help getting started? Give us a bell. Till then, remember as that great blogger Euripides once said: “Question everything. Learn something. Answer nothing.”