Social engineering: The biggest security risk to your business

Padlock being lifted by a fishing hook on a blue background to symbolise phishing attacks
(Image credit: Shutterstock)

Most businesses have spent time and money educating their employees on the threat of phishing emails. Many attempts are clumsy and riddled with mistakes and typos, making them easy to spot and delete before any harm is done.

But social engineering scams - when cybercriminals target specific departments and users with communications tailored to look like they come from a senior figure, supplier or job applicant - are on the rise and are much harder to spot. Let's dig a little deeper into this worrying trend and the impact on businesses.

Social engineering? Sounds sinister.

It is, but not in an Aldous Huxley, Brave New World kind of way. The dictionary definition would be something like: "Deception with the intent of gaining confidential information for fraudulent purposes." In practical terms, this typically means someone trying to trick you into sharing your login credentials, or installing malware.

Ah, you mean like phishing. Isn't that a consumer problem?

Phishing is one social-engineering trick, but the definition includes any attack methodology that relies on trust and deception. And it's certainly not merely a consumer problem: when Imperva researchers set up honeypots to attract phishing attacks, they found that business data was highly sought after, with 25% of the attackers going for business-related targets.

So what types of attack do we need to look out for?

We're all familiar with scattergun phishing emails, but you should also be on the alert for highly targeted attacks ("spear phishing"); these can be much harder to spot, because they appear to come from a trusted source and include information specific to the recipient.

Then there are those telephone calls pretending to be from Microsoft support, that actually want to gain remote access to your computer. And don't discount the possibility of someone walking confidently into your offices, smooth-talking their way past the reception desk and gaining physical access to your IT systems.

Surely not many people fall for these tricks?

The trouble is that a social engineer only needs to fool one person in your organisation to gain access to your networks and data. Indeed, talk to any IT security professional and they'll tell you that most data breaches today start with a social engineering attack of some kind. It's often much easier to exploit an individual than to mess around with technical hacks.

So what should we do if one of our employees falls for a social-engineering attack?

Well, don't blame them. Employees are only human, and in most cases they're trying to do the right thing. MWR InfoSecurity did some simulated phishing research last year, and found that spoofed emails, supposedly from the HR department of their organisation, fooled nearly three-quarters of recipients into clicking a phishing link and providing their credentials.

For similar reasons, social media is often a channel for social engineering, as it provides a ready-made network of trust. The same researchers found that when an email (even one sent to a work address) requested the recipient to connect via a social media channel, roughly 25% clicked the included link. This led them to a fake login screen where 54% gave their credentials of whom 80% then downloaded a malicious executable.

Is there a technical solution we can deploy?

Unfortunately, it's not as easy as just installing product x, as social engineering targets people as much as computers. There are technical solutions that should be part of your defences such as two-factor authentication, to defeat password stealing, and disabling remote access to files and servers where it's not needed. However, all of this needs to be deployed in tandem with user awareness training.

What's the best way to make users aware of the risks?

As is so often the case, the best way to learn is through experience. There are many organisations that provide phishing simulations, to show users how they can get fooled and help them recognise such situations when they occur for real. Again, though, don't blame staff if they do get tricked: that only isolates them from the security process, and you'll get better results not to mention a happier workforce if they feel trusted and involved with company security.

Five classic social-engineering tricks

USB seeding is where malware-infected USB sticks are dropped outside a target building, or even left on tables in reception or at a local coffee shop frequented by employees. Far too often, a curious finder immediately plugs the stick into their work PC, and boom goes your network security.

A similar exploit is the "Israeli Trojan" trick, in which supposed product demo CDs were sent to target individuals within an enterprise. Many would insert the CD without giving it a second thought. Today the threat actor might even make contact ahead of time, so the recipient is expecting to receive the disc or email, and is therefore more inclined to trust it.

Phishing attacks work well with social engineering. If someone in the accounts department receives an URGENT INVOICE' email towards the end of the month which looks legitimate, damage can be done with them simply clicking the attachment, especially if the extension has been spoofed to look like a .pdf.

Caller-ID spoofing involves making phone calls, or sending text messages, from a spoofed number which appears as a genuine contact to the recipient. Since the line of communication is already trusted, this approach is both subtle and dangerously effective.

One final approach which is estimated to have cost businesses $2.3bn according to the FBI is CEO scams. This can be email or another communication purportedly from the CEO sanctioning an urgent transfer of money. Cybercriminals using this method normally work hard to make the message look legitimate, and send it to a few carefully-chosen employees, increasing the chances of catching someone off-guard who will send the money quickly.

Picture: Shutterstock

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.