Selling a Social Engineering Attack

Social engineering techniques are not only becoming more common but also more sophisticated. Attackers seem to be taking notes from Marketing 101, ensuring that their lures strike a chord with their victims with emails that include customized messages with very official looking logos and layouts, fraudulent phone calls that cite actual employee names and titles, and even well-rehearsed seemingly innocuous facility access attempts.

The Hard Sell

According to the 2016 Proofpoint Human Factor Report, in 2015, social engineering became the number one attack method for cybercrime. Attackers are using what’s already available online—LinkedIn profiles, Facebook posts, company websites—to make sure their lures elicit action from their potential victims. Attackers are doing what any smart marketing campaign would do: Figure out what to use as bait that will lure their intended audience to open and click phishing emails, provide information over the phone, and give entry to unauthorized individuals.

Spot the Bait

Social engineering attacks can come in many forms, but there are some commonalities to look out for. For example, risky subject lines include variations on these themes: Confirm Your Password, Incoming Fax, Notice of Payment, Impending Service Cancellation, Special Invitation, Shipping Document, and Your Action Needed. Phone attackers are, to say the least, smooth talkers. They can usually reference organizational policies and employee names and titles and talk their unsuspecting victim into revealing the information the attackers need. And how many times have you held the door for someone looking to be fumbling with their keys or with hands full unaware that they are gaining unauthorized access to your company’s data?

Think Before You Click

Education is the best protection against social engineering. It has to be ongoing to keep security at the forefront of your staff members’ minds. In addition to regular training, third-party social engineering penetration testing can help determine employee susceptibility to various attacks. In this type of security exercise, trusted third-party security experts attempt to lure employees into various email phishing schemes, fraudulent phone calls, and unauthorized facility access to help your company determine how well you perform in the real world facing these types of social engineering threats.

With social engineering attacks on the rise and with attackers devoting as much thought to customizing their attacks as marketing departments, companies must be vigilant in educating their staff and conducting ongoing training and testing.