Social Engineering Attacks and How to Prevent Them

Kieran Roberts Headshot
Written by Kieran Roberts  Head of Penetration Testing

08/11/2021

Threat actors are employing more advanced social engineering techniques with ever increasing frequency. All sectors are open to attacks with the financial and reputational losses being significant.

Exploiting human nature is not new. The methods used by hackers are getting more sophisticated and they are becoming better at manipulating human behaviour. This guide to social engineering will help you:

  • Understand what social engineering attacks are
  • Understand the different social engineering methods and how to prevent them
  • Learn how to protect your business, staff and yourself from social engineering attacks

Real-life Examples of Social Engineering Attacks

World Health Organisation


Red Kite Community Housing

  • Housing charity Red Kite tricked into sending £932,000 to cyber criminals
  • Social engineers created a fake website that looked identical to a supplier’s
  • Social engineers fabricated an email history to provide the impression that the email was part of an ongoing conversation
  • Red Kite introduced security training for their employees as a new cyber security measure to mitigate future social engineering attacks

What is Social Engineering and how does it work?

Whilst social engineering attacks are inextricably linked with technology, social engineering has been around long before the advent of computers. The most famous example of historic social engineering is the Trojan Horse, which, as we all know, proved to be rather embarrassing for the Greeks.

Ultimately, social engineering aims to deceive individuals into providing business critical data or other sensitive information that benefits the threat actor. This information is then utilised for malicious purposes (e.g. ransomware, whereby hackers hold customers’ sensitive data for ransom to extort a company).

Social engineering recognises that the main weakness within any cyber security system is, more often than not, the individuals that use them. Even the most advanced cyber security systems can not totally eliminate human vulnerability. These attacks are varied, unique and use increasingly sophisticated methods to exploit human nature. Predominantly relying on trust and by understanding the online behaviours of victims, anyone can fall prey to social engineering attacks.


Types of Social Engineering Attacks

The pandemic exacerbated social engineering attacks. Playing on the heightened emotions of the global population, threat actors turned to more devious tactics than ever before. The first half of 2021 saw a 22% worldwide increase in phishing attacks. Shockingly, further data reveals that the majority of data breaches were caused by social engineering attacks, with 85% exploiting some aspect of human error in cyber security.

These alarming numbers mean it's pivotal you know how to spot a social engineering attack. Furthermore, employees within an organisation must understand key social engineering prevention strategies to prevent revealing sensitive and business-critical data.

Emails

Links in emails asking for sensitive information and requesting participation in a survey are all ways cyber criminals attempt to infiltrate your network. Threat actors can now fabricate email chains with legitimate internal email addresses, pose as your CEO and ask for information that will compromise you and your company. Phishing got sophisticated.

Phone

Deep fake recordings exploit the trust and good nature of many people. These sophisticated methods of social engineering coerce victims to divulge information or send data to a threat actor under the guise of someone they know.

Text scams are also on the rise. With the ubiquity of mobile, social engineering attacks via smartphones are increasingly prevalent. Fearmongering victims into believing that the taxman is around the corner due to missed payments or scaring people that they’ve forgotten to pay a bill are all common social engineering attacks, designed to make users click on links that deliver malware to their device. Cyber security policies rarely extend to smartphones, making this type of attack exceptionally attractive to threat actors.

Online

The most sophisticated social engineering technique is planting malicious links in websites victims frequently visit. While many people are now more savvy to phishing, even cautious individuals click on links when visiting a website they are familiar with. Exploiting trust and user behaviour is textbook social engineering and this type of attack is very hard to detect.

Tailgating

“I’ve forgotten my pass, can you hold the door?”

It may be polite, but you could cost your company £1000s in data losses and reputational damage by falling victim to tailgating. Social engineering isn't siloed behind a screen. Threat actors are real people and an unsuspecting employee innocently holding the door for someone to follow in from behind can lead to a systems breach from an internal computer.


Preventing Social Engineering Attacks

Due to the increasing adoption of remote working and the reliance on email communication for businesses, it has never been more important to ensure your business is protected. There are several tools and preventative measures you can take to limit the chance of a successful social engineering attack.

Education and Training

Most social engineering attacks are successful because the victim is unaware that they are being manipulated to take harmful action.

Implementing security awareness programs within your company is crucial. When educating employees, it’s vital to spell out how social engineering attacks impact your business and how it may affect them personally. You need to explain that it's not just about protecting company information but about protecting identities and personal details in and out of the workplace. Educating and training will not only improve employees’ cyber security awareness but also improve their online interactions, protecting them personally from fraud and crucially, your business.

Recognising Phishing Emails

Phishing is the most common form of social engineering attack. For that reason, your employees must understand how to identify phishing emails.

Question card icon

How to catch a phish?

  • Unfamiliar email addresses - Always check the email address before clicking a link. Attackers can create convincingly replicate email addresses by changing single letters
  • Poor spelling and grammar - If there are grammatical mistakes within an email, this should be a red flag of its validity, particularly if purporting to come from a large organisation
  • Unrealistic requests - Any email requesting a user enters personal data should be considered suspicious
  • Pro-forma scams - The majority of phishing emails are sent in bulk and take similar forms. If the email tells you that you've won something or that your account has been compromised, it is most likely to be a phishing scam.

Implement Specific Security Policies

A security policy that includes ways to assist employees in identifying and avoiding social engineering attempts should be put in place.

  • Strict guidelines for using removable storage devices like USB flash drives which could contain viruses or malware
  • A company-wide password policy requiring regular changes to passwords, the use of strong passwords and storage in a password manager
  • Details of how to report unusual requests, especially relating to changes in company policy, procedures, or security measures
  • A contact number or email to report anything suspicious

Penetration Testing

Penetration testing is a simulated cyber attack aiming to stress test the security and safety of an organisation's cyber security systems. The goal for penetration testers is to identify potential weaknesses in companies' defences and propose solutions for how they can strengthen them. Pen testing also utilises social engineering tactics to identify vulnerabilities with employees. These penetration tests can see if the employees will divulge sensitive information or simply click on a link that could infect their computer.

Technology

Even though social engineering typically relies on human failings rather than machines, technology can help reduce the scope of these types of threats. You can considerably decrease the risks associated with social engineering attacks by installing technologies such as multi-factor authentication and other security solutions.

Email Filtering

An excellent solution to prevent phishing attempts is an email gateway that can filter out spam emails while also detecting malware in attachments and web links on incoming emails before they reach your server.

Multi-Factor Authentication (MFA)

Multi-factor authentication helps protect against social engineering attacks like phishing by requiring more than one form of verification to access an account. MFA solutions can be affordable for businesses and are typically easy to set up with different levels of complexity depending on the needs of each organisation. Implementing multi-factor authentication for your organisation will provide you with a higher level of protection than relying on just passwords alone.

Ensure Regular Software Updates

Phishing emails often exploit holes in a business's software and these are most likely to occur when it is not kept up to date. Keeping software regularly updated is the best way to prevent successful attacks and ensure there are fewer instances where employees can make mistakes.

Secure Company Data

Reducing the amount of business critical data employees can access outside of the office is a key opportunity to limit potential damage. Employees should only have access to information necessary for the tasks at hand when working remotely. Limiting employee permissions according to job roles is another way to create security barriers that stop social engineering attacks from having far-reaching ramifications.

Due to the dynamic business landscape and hybrid working practices, social engineering attacks are a common and ever-changing threat. As such, it is vital to stay up-to-date with the latest security guidance to protect your business critical assets. The best way to protect yourself and your company from social engineering is by educating employees on how social engineering works and what they can do to prevent it.

Keep your business safe from social engineering schemes.

Simulate social engineering attacks to keep your staff & data secure. Learn more about Bulletproof's social engineering services.

Keep your business safe from social engineering schemes.

Simulate social engineering attacks to keep your staff & data secure. Learn more about Bulletproof's social engineering services.

Learn more

Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.