What are Social Engineering Attacks and why you need to defend against them

Because critical data is no longer housed within a company’s own servers, hackers know they’re more likely to succeed with social engineering attacks.

 min read

Cybersecurity and risk department leaders can invest in all the best cybersecurity tools they want but if they’re not focusing on securing their own employees, they’re opening themselves up to a major security gap.

Employees often have access to company secrets, its most critical and sensitive files, and access to databases and servers that, if compromised, can result in an organization being disrupted to the point of being unable to perform their services.

Unfortunately, the average employee isn’t a cybersecurity expert and they may not even be aware that they have access to sensitive information. This may result in lax security measures or a willingness to fall victim to a social engineering attack designed to prey on their lack of knowledge.

It’s this combination of access and relative unawareness that make them the perfect target for malicious hackers and bad actors. This is why employees are often the most common targets and are usually hit with social engineering attacks that can lead to compromised organizations and assets.

In 2021, social engineering attacks increased 270%, largely due to the expanded use of cloud-based services. Because critical files and data are no longer housed within a company’s own servers, hackers know they’re more likely to succeed with social engineering attacks that give them access to employee accounts.

We’re going to discuss what social engineering attacks are and how you can reduce the risk of these attacks compromising your organization.

What is Social Engineering?

Social engineering refers to a set of attacks and methods that result in a compromised employee, potentially without their knowledge. Social engineering attacks are usually the first attack a hacker deploys in order to further damage an organization. Through social engineering, malicious attackers may be able to drop ransomware in an environment, reach customer data, or exfiltrate trade secrets.

Social engineering takes a number of forms and can vary from high to low sophistication in terms of the kind of technology or methods utilized. Here are a few examples

  • Pre-texting - If you work in a physical office and someone asks you to let them in because they forgot their key card, that’s social engineering. The person may not actually work in the building but is using a pretext of pretending to be an employee, taking advantage of trust others may have. This is often the underlying driving principle behind social engineering attacks.
  • Impersonation - This is commonly the underlying precursor behind attacks such as phishing, ransomware, and BEC attacks. These are often email-based attacks where a hacker pretends to be someone in the organization— usually with more authority than the victim — and asks them to take a compromising action. This can be accepting or sending a wire transfer, downloading a malicious attachment, or giving the attacker sensitive files.
  • Using personal information - Social engineering often works best when it uses personal information to gain the trust of unsuspecting individuals. This was the case with the most recent Uber Hack. A third-party contractor was prompted to accept an MFA request multiple times. It wasn’t until the hacker texted the contractor’s personal phone pretending to be Uber that the contractor accepted the MFA prompt, allowing the hacker to infiltrate Uber. 

Social engineering is dangerous because it relies on trust and urgency and pushes the victim to take actions brashly or without double-checking its validity. Business Email Compromise attacks are often successful because of social engineering. These are attacks that get a victim to send money to an attacker. The attacker pretends to be the CEO, CFO, or even a potential vendor with a fake invoice. Because of the pretext, impersonation, and the fact that communication is occurring through work emails, a victim believes the request is true. Over a three-year period from 2016 to 2019, BEC attacks led to $43B in losses.

How to mitigate the risk of social engineering attacks

Because of how personal social engineering attacks are and the various channels the attacks use, there’s no one way to defend against these attacks. However, with a mix of process, policy, and technology, you can mitigate the risk of these attacks compromising your employees.

Education, awareness, training

Security awareness training is one of the most helpful tools to help employees spot all kinds of attacks and any program you enroll your employees in should focus on social engineering attacks that leverage non-traditional channels.

However, you should also implement specific policies that detail: 

1) What an employee should do if they come across a suspected social engineering attack. This elevated your awareness of attacks and also might alert you to spearphishing or other targeted threats your organization might be facing. This will help you prioritize and take action to minimize the risk of compromise.

2) The process for certain actions and communications within the organization. Making it clear that communications happen through official channels and that, for example, a wire transfer requires specific authentications or validations will stop an employee from thinking a fake text from the CEO is enough to take a potentially dangerous action. Being clear about processes will help employees spot strange requests or phishing emails.

Limit access to critical systems, files, and procedures

Hackers target employees because they know they have access to sensitive files and databases but if you’ve engaged in identity access management, employed a zero trust model, or use the principle of least privilege in your organization, you can reduce the amount of risk the average employee has.

Identity access management defines access on a role-by-role basis and ensures employees have access to specific data if their function requires it. The principle of least privilege takes this a bit further and aims to limit critical data access as much as possible regardless of the role or risk. Zero trust is one of the most limiting principles. When it comes to employee access, zero trust, as the name implies, assumes a compromise and requires validation at any point of access.

Ideally, you’ll adopt a mix of these strategies that effectively balances security without compromising on productivity.

Improve your asset and data visibility

Awareness and visibility of your environment is needed to detect whether your data is compromised via a social engineering attack and to ensure any access limitation or identity management system you’ve put in place is comprehensive. If, for example, you’re unaware that the sales department has access to sensitive finance or HR docs, then your access management implementation might skip over that, leaving a significant security gap.

By focusing on asset and data visibility, you’re making your additional security controls that much more comprehensive while also giving your strategy an opportunity to scale with your organization as you add more employees, vendors, and expand your infrastructure.

How Metomic Can Help

Security leaders can take advantage of data and asset visibility tools like Metomic to help improve their security controls against social engineering attacks. Metomic integrates with SaaS apps to give you comprehensive visibility of where your data lives and who has access to it.

This allows you to limit critical data access and also detect any anomalous behavior that might be the result of a social engineering attack or other form of security compromise. Metomic can help you spot various indicators of compromise while also alerting you to sensitive files that employees shouldn’t have access to or that shouldn’t belong in the first place.

Examples include having PII on publicly available GDrive folders or all employees having access to sensitive data via an insecure channel. Knowing if a user is exfiltrating a huge amount of data, accessing servers during off hours, and making multiple access attempts on databases they shouldn’t have access to are all potential signs of a compromise. Being able to have visibility into these actions can help you act quickly.

Metomic can help improve your entire environment visibility, which will help improve all your security efforts, controls, and help defend against social engineering attacks.

To learn more or book a free risk review, check out Metomic here

Photo by Stephen Phillips on Unsplash

Subscribe to our newsletter now!

Thanks for joining our newsletter.
Oops! Something went wrong.