What is Social Engineering?
A hacker who uses social engineering effectively preys on people, not technology. A few common practices include:
- Researching targets on social media to get personal data such as birthdays, addresses, and historical information that may be used to answer security questions.
- Calling customer service representatives for service providers an individual works with and using those researched personal details to reset passwords or otherwise take over an account.
- Impersonating a service provider - a bank, cloud vendor, eCommerce store, etc. - and sending an email with links that, when clicked on, will initiate malware downloads.
These are just a few examples of social engineering, and the core principle is the same across all of these - hackers gain personal, private information about you that you have revealed through your online practices. Social engineering attacks can leave an individual feeling violated as it involves a degree of identity theft. From a business perspective, however, the feeling could be even worse.
Considering the Entirety of the Social Engineering Threat
According to the Verizon 2022 Data Breach Investigations Report, "the human element continues to be a key driver of 82% of breaches,"  compromising credentials and both internal and personal data. This sensitive data, passwords, bank account numbers, and the names of individuals who work within teams can then be used for pre-texting, installing malware, funneling money, or worse. The idea here is straightforward - outsider threats will tend to stick out when they get into your network, making them easier to identify and deal with. Insiders appear like they should be accessing your various systems, making it much easier to identify precisely when they are participating in illicit activities.
Social engineering actually allows outsiders to function as insider threats because they gain the credentials of authorized users. This lets those attackers get into your most sensitive data without you being able to notice - at least not easily - because it simply looks like one of your employees did it.
Understanding the Effectiveness of Social Engineering
Social engineering is worrying when it comes time to consider the technology side of the equation, but how effective are they at actually getting users to give up their credentials? Many businesses train employees on how to identify phishing scams, how they can avoid risk on social media, and similar strategies that ensure they keep data safe by preventing social engineering, but is that enough? The Verizon 2022 Data Breach Investigations Report found that phishing scams are successful at an astonishing rate. Phishing is involved in 41% of business email compromises.
If that isn't enough to get you worried, it's worth noting that this year's survey found that while only 2.9% of phishing emails were opened, 12.5% of phishing test emails were reported. The phishing test results are actually a 10% improvement over the last decade! So, people have actually been getting better at preventing social engineering (although incrimentally), but the phishing attempts still come. The message is clear - social engineering is a real threat, as phishing alone is a major risk. So what can you do about it?
Preventing Social Engineering
In many ways, the best way to prevent social engineering from impacting your business is to protect against insider threats. A few solutions make this possible, including:
- Network monitoring - Monitoring your network gives you complete visibility into activities within your systems. This creates a sense of transparency that can be invaluable because it lets you quickly identify suspicious behaviors.
- Behavior tracking - Solutions that track user activity on a day-to-day basis - often through network monitoring - can use analytics to anticipate normal behaviors for your various users. From there, the system can be set to alert IT security professionals when a user begins to behave strangely, allowing them to check on the issue and make sure the activity is authorized and not the result of social engineering.
- Training - Training your staff isn't a cure-all, but taking the time to inform your staff on how they can avoid falling prey is important. The key is to train consistently and not expect rare, one-time events to keep your workers informed.
Training isn't just essential for your end users. Establishing educational programs for your security and IT teams can give them clear ideas of the emerging technologies and practices that can help them stay ahead of social engineering threats.
Hacking strategies are constantly changing, and social engineering is a primary example of this. New methods for data sharing, social interactions, and identity theft are constantly emerging, and security professionals must stay ahead of these developments while also implementing new technologies and training users.
Learning Tree offers a full suite of cyber security training courses, including opportunities to learn the nuances of social engineering and what you can do about it.
97% of companies have been affected by a cybersecurity breach in their supply chain. If your organization hasn’t begun to lay the groundwork for CMMC certification, now is the time to start and make cybersecurity your top priority.
This piece was originally published on October 15th, 2019, and updated on September 13th, 2022, with an updated citation to the most recent Verizon DBIR. Due to slightly different rates between the methods of social engineering attacks reported in this year's survey, we updated some conclusions, but the main thesis remains the same. Social engineering is a major threat to organizations and a stepping stone to more sever cyber crime.