The Human Element: Preventing Social Engineering Attacks
As much as people in the industry focus on the technical aspects of cyberattacks, the human element plays a major role in most breaches. Criminals don’t have to always find a major security flaw—they can often simply exploit weaknesses in human behavior.
That’s the basis of social engineering—exploiting common human behaviors during an attack or as the main focal point. Today, we’ll talk about social engineering attacks—especially email-based attacks—and how you can help prevent your customers from falling victim.
Social Engineering 101
As mentioned above, social engineering exploits loopholes in human psychology and behavior to launch an attack. For example, humans often automatically trust authority figures and those displaying the trappings of such positions. For example, if a doctor tells you to do something for your health, you’re more likely to follow their advice than someone who lacks credentials.
Criminals exploit this principle in social engineering attacks. For example, a common social engineering scam involves calling an unsuspecting person, claiming to be from a tech company, and asking them to download “security programs” onto their computer. The criminal might charge them money for the “service,” often getting credit card information from the victim. They may also have the user install malware, allowing the criminal to do further damage after the fact. This attack doesn’t require a lot of technical know-how—often only a spoofed phone number and some basic information on the victim.
Many (if not most) social engineering scams get launched via other channels. Some occur via social media. For example, a cybercriminal might create fake social media profiles to mimic another person’s, then use that fake profile to friend the victim and ask for money. Frankly, if criminals can find a way to defraud people and con them out of money or data, they will find a way.
But one of the most common social engineering channels is email—so let’s dig into that.
Cybercriminals love email. For starters, they’re often cheap and easy to send. They can send a large amount of emails and often get a few victims per send. Also, most people deal with email overload. Business users can get dozens or even hundreds of emails per day (especially if they’re in a management or executive position). With this kind of volume, mistakes are bound to happen.
- Phishing: Phishing involves sending out fraudulent emails meant to trick users into clicking links that take them to fraudulent websites. These websites may look very similar to a common website like PayPal, but they’re actually forgeries used to trick users into giving up personal information like login credentials. Phishing attacks operate on the law of numbers—if hackers have access to a large database of email addresses, they can send out these emails in bulk and odds are good at least a few people will click the fraudulent link and give up key information to the criminal.
- Spear-phishing: Where phishing casts a wide net, spear-phishing attacks use harpoons. These attacks are highly targeted at individuals or a small group of individuals, and typically require reconnaissance work on behalf of the criminal first. For example, a spear-phishing attempt might involve a criminal masquerading as the CFO of a company asking for money transfer approvals from the CEO. Pulling this off often requires some knowledge of both the CFO and CEO (although, it might not be as challenging for companies with less sophisticated security practices).
- Baiting: Baiting attacks use the promise of a giveaway to steal someone’s information. For example, a criminal might offer free concert tickets to see Eddie Money if the victim enters their credit card information for a small “processing fee.” The victim thinks they have two tickets to paradise, but in truth, they have two tickets to fraudulent bank transactions.
Preventing social engineering
While it’s hard to fully prevent social engineering attacks, there are steps you can take to reduce your risk.
For starters, user awareness training is crucial. As an MSP, you should train users to spot potentially fraudulent communications over phone, text, social media, and email. However, the point of the training isn’t simply to gain information—you should aim for behavioral change. Your customers need to be suspicious of unsolicited communications and unusual-looking emails. Make sure you don’t stop with one training—you can hold regular refreshers to keep security top-of-mind with your customers. Additionally, consider sending helpful email reminders to customers to remind them to stay on guard against these attacks. These communications should help reinforce your MSP’s brand and the value you bring to your customers.
However, you shouldn’t stop at awareness training. Since large swaths of social engineering attacks occur over email, it makes sense to put a strong email security solution in place. SolarWinds® Mail Assure, for example, uses collective intelligence from millions of domains under management to help spot and protect users from suspicious emails. If a potential phishing attack occurs among a subset of users, Mail Assure uses that information to protect the rest of its user base from that attack. Mail Assure is compatible with nearly any email service, including Microsoft Office 365 Exchange. If you want to help keep your customers safe from social engineering attempts, learn how Mail Assure can help by starting a free trial.