The end goal of security awareness training is to turn users into proactive defenders for the business. Users must understand and embrace the critical, front-line role they play in helping to protect the organisation. They need to know how attackers manipulate them to enable their campaigns and why they are being targeted. Proofpoint’s 2022 Voice of the CISO study revealed that employee security awareness is on the rise, but users are still not adequately skilled for the role of cyber defense. While nearly 50 per cent of the CISOs surveyed in the UAE and KSA believe employees understand their role in protecting their organisation from cyber threats, the other 50 per cent still consider human error to be their organisation’s biggest cyber vulnerability. That makes social engineering— which plays a role in almost every human-focused attack—a foundational cybersecurity awareness topic.
Social engineering is a collection of techniques that malicious actors use to manipulate human psychology. It’s exploiting human nature to trick or threaten users to take actions; giving up account credentials, handing over sensitive data, running malicious code and transferring funds. Attackers rely heavily on social engineering for so many campaigns because they know that people are the easiest way into an environment.
Attackers use social engineering to exploit people. For example, threat actors will take advantage of users’ emotions, trust or fatigue. By conveying a sense of urgency, generating excitement about an opportunity, or creating fear around losing money or doing something wrong, a user may be emotionally manipulated to fall for the attackers trap. Attackers can also play on a user’s trust by posing as someone the user trusts or abusing a trusted brand or authority (such as the IRS, UPS, Amazon and Microsoft). Timing of the attacks is another tool used by attackers as users are likely to be tired or distracted and more inclined to let their “emotional mind” guide their decision-making.
Furthermore, security awareness training on social engineering should review techniques such as phishing, social media reconnaissance, telephone-oriented attacks, vishing and smishing, which are some of the most significant threats targeting organisations. In Saudi Arabia, smishing/vishing attacks topped the list for 30 per cent for CISOs surveyed, followed by ransomware (29 per cent) and insider threats–whether negligent, accidental, or criminal–at 28 per cent.
Phishing refers to sending malicious emails to trick people into doing something on the attacker’s behalf. They usually involve clicking a malicious web link in the email or an email attachment. In phishing simulations, one in five users opened an email attachment, and one in ten clicked on a link.
- Social media reconnaissance. Attackers often use social media to gather information about users that they can leverage as part of another campaign. For example, they might gather information from LinkedIn about a company’s top executive so they can impersonate that executive in a phishing campaign. Posting as the executive, the attacker might target users in the financial department. Attackers’ reconnaissance efforts may also include direct outreach to a target.
- Vishing and smishing. With this social engineering technique, attackers use text messages and voice-changing software to send SMS messages to users or robocall them. The messages often promise gifts or services in exchange for payment. These types of scams are called vishing (voice phishing) and smishing (SMS/text phishing).
- Telephone-oriented attack. Telephone-oriented attacks, also known as call-back phishing, have surged in recent months. These attacks often start with email and play out over multiple channels. But the linchpin of this approach is a person-to-person phone conversation. Naturally, these attacks require the victim’s active participation. Telephone-oriented attacks start with an email that claims to be from a legitimate source and includes a phone number for customer assistance. Callers are connected to fake customer service representatives. These “representatives” then navigate the victim through the attack. They may instruct the victim to let them access their machine remotely or download a file that turns out to be malware.
How to avoid social engineering attacks
There are actionable measures which users can protect themselves against social engineering attacks. To begin with, users shouldn’t blindly trust anyone who contacts them by email, phone or social media. By slowing down and thinking twice before taking any action—such as carrying out a request to send money or buy gift cards without confirming the sender (and the request itself) is legitimate can go a long way. Additionally, it is always a good idea to not share personal information, such as phone numbers or home addresses, in social media posts. Finally, users should be cautious about clicking on links and opening attachments.
Common sense can go a long way toward preventing a social engineering attack. If it seems too good to be true, it’s very likely a scam. And if something doesn’t look or sound right, it probably isn’t.
