How to Stem the Rising Tide of Social Engineering Attacks
We tend to think of cyberattacks as highly sophisticated operations that use complex techniques to bypass layers of digital security measures. In truth, most are stunning in their simplicity, using social engineering tactics to manipulate individuals into divulging confidential or personal information.
Social engineering requires no programming skills, advanced tool sets or technical knowledge. Attackers simply exploit their victims’ natural tendencies to trust and help others, their desire to avoid conflict or negative consequences, and their inclination to comply with authority figures. By leveraging these emotions, social engineers can manipulate people into giving up sensitive information, downloading malware or taking other actions that serve the attacker’s purposes.
It is by far the most common form of Internet crime, according to data compiled by the FBI’s Internet Crime Complaint Center. There were 323,972 social engineering complaints in 2021, more than the next four categories of cybercrime combined. It’s estimated that up to 90 percent of all cyberattacks have social engineering components.
Most Common Versions of Social Engineering
The most common version of social engineering is phishing, in which attackers use spoofed emails or text messages that appear to come from a trusted source. These messages typically contain a link or attachment that, when clicked, takes the victim to a malicious website or installs malware on their device. In other cases, an attacker impersonating a trusted individual will seek a transfer of money or sensitive information.
Social engineering is by far the most common form of Internet crime.
Other common techniques include spear-phishing attacks tailored for a specific individual or organization, whaling attacks targeting senior executives or other high-profile individuals, and baiting attacks that offer rewards or incentives in exchange for the victim’s participation. Vishing or smishing attacks are delivered via voice calls or SMS text messages.
Social engineering is on the rise because it is a low-risk, high-reward attack for malicious actors. But it’s costly for the victim. According to IBM, the average cost of a data breach with social engineering as the initial attack vector is more than $4 million.
Preventing social engineering attacks requires education, vigilance and a robust cybersecurity strategy. Here are some of the measures that individuals and organizations can take to prevent social engineering attacks:
- Educate employees. Training should cover different types of social engineering attacks, how they work and how to respond to them. Training should emphasize three essential practices for avoiding phishing attacks — don’t open emails from senders you don’t recognize, don’t click on email links if you aren’t sure they are legitimate, and don’t open email attachments unless they are expected and come from a trusted source. Test employees with simulated phishing emails to see if they can recognize current threats and techniques.
- Implement multifactor authentication. MFA solutions help prevent unauthorized access to applications, systems and services by reducing reliance on passwords and unsafe password practices. This reduces the risk of social engineering attacks that involve stealing passwords or other credentials.
- Use content filters. Filtering solutions use various techniques to identify and block suspicious emails before they ever reach users’ inboxes. Mobile device management solutions often include a filtering component for remote and mobile devices used outside the network.
- Segment the network. Segmentation limits risk by breaking up the network into smaller, isolated parts to prevent malware from propagating throughout the network.
- Enforce strong password policies. Require employees to create complex passwords and change them regularly. It’s also a good idea to require unique usernames and passwords for different systems and services.
- Implement access privileges. Specific procedures should state who has access to various parts of your network and how. These procedures should also state who is authorized to approve access and who can approve any exceptions.
Advanced Email and Web Security Services
GDS offers advanced email and web security services, multifactor authentication and security awareness training necessary to identify and stop social engineering attacks. Contact us to learn more.
Benefits of Managed IT Services from Global Data Systems
- Strategic Managed IT: We help you solve your technology related business problems.
- Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
- Support: When you need help simply call our 24x7x365 support number.
- Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.