Cybercriminals have increasingly applied the ‘human factor’, aka social engineering, to great effect when carrying out a cyber attack. Several pieces of research show that this is not just hearsay and that social engineering is a successful cyber attack technique: data from PurpleSec’s security research, for example, found that 98% of cyber attacks are based on social engineering.
Cybercriminals have made our employees the front line of cyber attacks: targeting them using malicious emails; tricking them with spoof phone calls, and generally manipulating behaviour.
By educating our employees about social engineering tactics and techniques, a business empowers them to fight back against fraudsters. But certain best practices must be followed to ensure a successful program of social engineering education.
Here is the MetaCompliance guide to educating employees about social engineering:
What is Social Engineering?
Social engineering, in the context of cyber security, is a technique or series of techniques, used to manipulate a human being into doing something beneficial for a cybercriminal.
There are many tricks to the social engineer’s trade, and these can change over time as cybercriminals optimise their tactics. The result of social engineering is to trick employees (or the public) into handing over sensitive data, such as login credentials, or wire money to a fraudster, or make a mistake such as clicking a phishing link.
Social engineering is typically a stepwise technique, that involves:
- Surveillance: Information gathering is a key component of a socially engineered cyber attack. Personal and business information on target employees is collected, targets are typically those working in areas such as accounts payable or IT administration.
- Grooming the target: The information gathered during surveillance is used to build relationships with the target employee. Some fraudsters will even call the employee to create a friendly link with them, grooming them for exploitation.
- Exploiting the mark: This is a key part of the socially engineered cyber attack, building upon the relationship developed using the gathered information. This relationship is exploited to execute the attack, for example, receiving a username and password over the phone or opening an infected email attachment.
- Taking the hack to completion: The exploitation stage lays the ground to carry out the core part of the cyber attack. An experienced social engineer will be able to walk away from the cyber attack knowing that it will take some time for the employee or company to realise they have been exploited.
Examples of Social Engineering
Social engineering comes in many forms that include both low-tech, high-tech and often, hybrids of both. Some examples show the types of ways that our employees are socially engineered:
Massive Social Engineering Attack Against Google and Facebook
Business Email Compromise (BEC) is a scam that uses social engineering to trick an employee into sending a company payment to the fraudster, often involving large sums of money.
In 2019, a massive BEC scam stole around about $100 million from companies, including Google and Facebook. The scammers created a fake company with a similar name to a legitimate company that the target companies dealt with. From there they sent out spear-phishing emails to specific employees and agents of the victim companies.
To gain knowledge on which employees to target, fraudsters typically use surveillance techniques to understand how to best manipulate the behaviour of the target employee.
Microsoft 365 Scam
Brands such as Microsoft 365 are often used to socially engineer and trick employees.
A recent attack involving Microsoft 365, was created to steal employee login credentials. In this cyber attack, the fraudsters used techniques to evade email gateways, so the phishing emails were able to end up in a target employee’s inbox, looking like a seemingly legitimate Microsoft 365 email. The phishing email used a subject line about a “price revision.” and contained an Excel spreadsheet file as an attachment. The trick was that the “spreadsheet” was, in fact, a disguised .html file. The file redirected anyone opening it to a website that then requested they enter their Microsoft 365 login credentials.
5 Best Practices in Teaching Employees About Social Engineering
Once you are ready to educate your employees about social engineering it is worthwhile using these five best practices:
Best Practise One: Understand the Complex Web of Social Engineering
Build a knowledge base of social engineering tactics and techniques. This will form the basis for your education package. Social engineering is based on human psychology so understanding how fraudsters manipulate human behaviour is fundamental to preventing a successful cyber attack based on this method.
Therefore, training employees to recognise a social engineering attempt is more complex than education around phishing; however, phishing simulations should be part of a wider social engineering training program.
A comprehensive program of social engineering education should also include how these scams work and the types of behaviour or situations they manipulate, for example, trust, urgency, relationships, etc.
Best Practise Two: Security Awareness Training +SEE
General Security Awareness Training packages should always include education on social engineering. Security hygiene and general phishing awareness are all part of mitigating a successful social engineering attempt. Add social engineering education (SEE) to your wider Security Awareness Training programme to make social engineering tricks visible to all.
Best Practise Three: Smart Learning
Humans all tend to learn best when they are taught using interactive techniques. Research has identified certain criteria for effective learning:
- Make the lessons brief but informative:Build upon these and repeat them regularly for optimal learning.
- Interleaving or switching between ideas as you learn, creates natural breaks between sessions, helping to reinforce ideas. Make sure you also point out connections between different areas of cyber security and social engineering tactics to help employees understand the complexity of these types of attacks.
- Use ‘concrete examples’ to make the learning stick in the employee’s mind.
Best Practise Four: Rinse and Repeat
Social engineering, like other cyber security attack methods, is being continuously optimised by cybercriminals. Make sure that you carry out regular training sessions on social engineering as part of your wider Security Awareness Training program. Automate your security awareness campaign to improve and optimise training.
Best Practise Five: Make your Workplace a Social Engineering Zero-Tolerance Zone
By building the confidence of your workforce in detecting and preventing a socially engineered cyber attack your organisation will build a culture of security awareness.
This culture will cement your workforce against cyber attacks, even if the social engineering is complex and plays upon employee fears, behaviour, urgency, and relationships. This culture will extend to their home life too, making their general security better and helping to de-risk home working environments too.
In cyber attacks that use social engineering techniques, the human being is the security vulnerability. By empowering your workforce with the knowledge to detect social engineering attempts you empower your business and your employees.