Social engineering will remain one of the most dangerous cyberattack vectors and risks to privacy in 2022. As part of our new series announced on Data Protection Day 2022, let's dive into how these attacks work, how to defend against them, and where end-to-end encryption can help.
What is social engineering in cyber security?
Social engineering attacks are not primarily technological in nature but psychological. Although using digital tools to target computer-based resources, how such threats work is not much different from traditional scams. Last week, we explored privacy, security, information security, and data protection through the analogy of a house. Naturally, phishing, smishing, and the like also have their real-world parallels.
We all know a handful of real-life social engineering attacks. The door-to-door salesman that weasels stay-at-home parents into subscribing for a health supplements package subscription that never arrives. Or attacks that targeted the elderly and their willingness to do anything to help and protect their grandchildren. What these attacks share with their digital counterparts is that they manipulate weaknesses inherent to human psychology: fear, a sense of urgency, forced quick decisions. In other cases, they choose the other extreme: offering rewards and prizes.
What kinds of socially engineered cyberattacks are there?
While social engineering can be the attack itself in some cases, it is often used to lay the groundwork for more complex attacks. In many cases, malicious actors will use these tactics in an attempt to collect login details. There are several types of social engineering attacks that everyone should be watchful for:
- Phishing, vishing, smishing – The attacker contacts the victim through email, by phone (v for voice), or SMS to extract sensitive information. Attacks range in sophistication, from easily recognizable scams to emails that can barely be distinguished from the real deal.
- Spear phishing – Similar to the above, but rather than throwing a wide web in the hope of results, attackers will meticulously target high-value individuals using information shared on social media, wider industry news, or even information collected through compromised company accounts with lower access levels. Spear phishing can be extremely hard to spot and underscores the importance of training leaders to recognize such attacks.
- Baiting – Also closely related to phishing, baiting exploits human greed (or, in many sad cases, financial hardship) to lure individuals into parting with sensitive authentication information. Some simulated baiting attacks have drawn ire from employees but also highlight how easy it can be to deceive people with the promise of prizes, bonuses, and gifts.
- Malware threats – This approach is in a way, ransomware's smaller cousin. In malware threats, hackers will claim that a user's system is infected with malware and offer to remove it for a fee.
- Pretexting – Attackers set up a situation, or pretext, to lure a victim into a vulnerable situation and to trick them into giving private information, authentication details, etc.
- Water-holing – These attacks exploit the amount of trust users put in certain websites, especially professional communities, for example, Stack Exchange. Users may feel more comfortable clicking on a link provided on such a site than elsewhere on the internet, allowing malicious actors a way to install malware on their devices or compromise login details.
With so many attacks out there, and each of them slightly different, it's easy to feel that we are constantly under threat. There are very few if any, safe spaces left online. Luckily, we have several tools to fight back.
Defending against social engineering
Naturally, automated filters, tagging emails from external senders, and flagging senders and IP addresses with a history of malicious intent are each beneficial in countering social engineering attacks. But as these attacks target humans, they are the first place to start your defense.
What can individual users do to minimize the risk of falling victim to such an attack? There are several pieces of advice you can follow on both your personal and business accounts. We grouped these into the acrostic BEHAVE to make them easier to remember and signify proper email behavior:
- Be suspicious – Always be suspicious of emails from unknown senders, especially when they display the external sender tag in a business environment. If an employee or someone you know is asking for data they might not need, remember to consider the possibility that their account may be compromised.
- Examine sender – Take a good look at the email address you received the message from. Be sure to keep an eye out for minor changes in spelling that could be easy to miss. Check every letter.
- Hover over links – Do not trust links. Place the cursor over any links in the mail without clicking. Be as careful as with the sender. If the message seems to be from a service you use (e.g., Microsoft, Google, LastPass), open the service providers page manually, log in and see if you receive any notifications. If not, report the email.
- Avoid downloading email attachments – Attachments are not only a security risk when you send them; they can carry myriad forms of malware to infect target devices. Never download attachments from unknown senders.
- Verify – Looping back to the possibility that a co-worker's or acquaintance's account may be compromised, check in with them on another channel and verify they sent the mail, they need the information they are requesting, and what they will use it for. If you have their phone number, it might be best to text or call them.
- Examine policies – Most companies will have guidelines on how certain processes happen, and if something seems off, double-checking these documents can help reassure you of what to do next. Is the mail in line with company policy, have others in the organization received similar messages before? This step is vital if you've identified a malicious threat: who you have to contact, how to report it, and what your next steps should be will all be outlined in company documentation.
Companies and enterprises must train employees on how to recognize and react to social engineering attacks. Education is the best defense against social engineering attacks, even alongside setting up automated tools to monitor and prevent attacks.
Consider moving internal communication away from emails and channels that can be accessed by outside parties. Rely on workplace chat solutions, task management clouds, and intranet solutions to govern information flow. Simply decreasing the number of emails employees receive and educating them about the inherent risks of emails can be a huge help. Policies that outline how certain events are communicated and proper company procedures will also foster a culture in which questions are asked when things happen differently.
Finally, simulate attacks. Our internal testing has shown that when no testing happens in a given quarter, employee performance in phishing simulations drops off in the next quarter. As a result, these processes are vital to keeping company accounts safe. But remember, IT and security teams must always be a partner to employees for any educational and training activities to be effective. Learn how phishing tests are completed at Tresorit and their results from our previous blog.
Where encryption comes in
It may come as a surprise but using an end-to-end encrypted digital workspace is a viable layer of defense against these kinds of attacks. While Tresorit can't block social engineering attempts, it can help you create a company culture that makes things more difficult for hackers. For example, if company culture and rules dictate the use of secure sharing links in cooperation, employees can be nurtured to question email attachments automatically, if they are trained to be suspicious of links in the email at the same time.
These secure shared links can also allow you to revoke access to files sent out in error. Not all phishing attempts target credentials. Some may be after high-value company files and data. Should such an attack be recognized quickly, shared links can be revoked easily, and, document analytics (if enabled) can be used to understand how much of the document the malicious third party managed to read. With traditional attachments, once the email is sent, your data is out of your control.
Also, don't forget that files are re-encrypted when access permissions to a shared folder change. Meaning if you remove access for a compromised account, you can rest assured that your files cannot be accessed by the attacker again. Learn more about Tresorit Secure Workspaces here.
To help companies and individuals alike protect their data and the data they are entrusted with, we launched a series of blogs on Data Protection Day (or Privacy Day for our friends in the US) to discuss the major cybersecurity, and by extension, data security, threats of 2022. Read through our previous article to learn more, and check back over the coming weeks for more info about:
- Back to basics – defining security, privacy, information security, and data protection in 2022;
- ransomware is going nowhere in 2022, but cyber security tunnel vision is also a threat;
- supply chain attacks, vulnerabilities in third-party software, and sideloading could affect businesses globally;
- and how DDOS attacks are simple to carry out and extremely damaging;
- man-in-the-middle attacks are now circumventing TLS encryption in certain settings.
We're exploring the tech behind each threat, what companies and individuals alike can do to counter them, and where end-to-end encryption can help. Watch this space.