How to Detect Social Engineering: Identifying the Red Flags

Social engineering persists as a growing threat and significant instigator of cyber attacks. Research indicates that more than 90% of cyber attacks originate from social engineering tactics, predominantly through phishing emails.

What is Social Engineering?

Social engineering, an art of manipulating human psychology, is the surreptitious force that drives cybercrime. Hackers don’t always need to crack complex codes or infiltrate secure networks. Instead, they exploit humans to inherit trust, curiosity, and vulnerability. The goal involves coercing victims into divulging sensitive information or performing actions that they shouldn’t.

These actions might include sharing personal data, downloading malicious software, or falling for deceptive schemes. In doing so, attackers often exploit human psychology, trust, and emotion to achieve their goals.

The Importance of Social Engineering Training

Much of cybersecurity is focused on the technology aspects: servers, applications, databases, networking, firewalls, and the like. However, all the defenses placed on those assets are greatly hindered and undermined if the human aspect of cybersecurity isn’t also addressed. Simply put, humans, especially those in an otherwise well-secured environment, are often the weakest link in an organization’s defenses.

Unlike the technological components of the equation, human beings are more malleable, more flexible, and therefore are inherently capable of making mistakes. In addition, humans have a natural desire to help others. These qualities are what make social engineering attacks so potent.

It’s imperative to educate your employees, who serve as your primary defense, on identifying and thwarting social engineering attempts. This proactive approach is vital in reducing the risk of a data breach.

Successfully protecting oneself from a social engineering attack has proven to be an immensely complex task as they can come in many different forms, utilizing many different strategies. Training requirements need to apply to all employees, regardless of their roles and access within the organization.

While attackers often prefer gaining access to a user account that already has high levels of access, even gaining access to accounts with low levels of access can be severely damaging. Oftentimes these low-level accounts are used as a foothold to then pivot within the network, and slowly escalate their privileges or compromise additional accounts. Once an attacker has infiltrated the network, the types and severity of damage they can cause varies greatly. But that topic is for another day (or, more accurately, another blog post).

There’s a saying in the cybersecurity industry, “Defenders need to be perfect 100% of the time, while the attackers only need to get lucky once.” This realization helps highlight the importance of proper social engineering detection training.

Types of Social Engineering Attacks

Social engineering attacks come in all forms and in many variations. Below, we have broken down some of the most commonly-used attacks:

Email-Based Attacks

• Phishing: Probably the most well-known social engineering attack, phishing occurs when an attacker sends a deceptive email, trying to get the user to respond by providing sensitive information or to perform actions that they shouldn’t.
• Spear Phishing: Similar to phishing, spear phishing targets employees with higher level of access (think C-suite or IT directors).

Phone-Based Attacks

• Vishing: During a vishing attempt, attackers call you, often with pretext, trying to convince you to divulge information or perform a malicious action e.g., buy some gift cards and provide the codes, or perform a wire transfer, etc.
• Smishing: Similar to vishing, smishing is conducted over text (SMS) based conversations. A very common example is the fraudulent USPS text messages your phone is almost certainly receiving each week regarding “undeliverable packages.”

Physical-Based Attacks

• Tailgating: When needing to bypass security measures to enter a building, an attacker will often try to follow behind (tailgate) a legitimate employee after they unlocked the door. If you notice an unfamiliar or suspicious person following you through an entryway, you can always ask them to swipe their prox key or contact security.
• Impersonation: Attackers often pose as electricians, construction workers, installers, etc. Never hesitate to ask for identification and to contact the appropriate person directly within the company to confirm their assertions.

Potential Indicators of Social Engineering Attacks

While it is impossible to have a completely comprehensive list of what to look for when trying to identify the legitimacy of any given communication, below are some high-level indicators to look for:

• Asking for logon credentials
• A sense of urgency being placed upon the request
• Suspicious or unfamiliar “from” email address
• Suspicious or unfamiliar phrases from a well-known person
• Suspicious or unfamiliar phone number
• Grammatical errors
• Requesting the download of a file
• Requesting to click a link
• Requesting to install software
• Offers that seem too good to be true

Keep in mind, that identifying any of these in an email does not guarantee that the email is fraudulent. However, these traits are worth noting and may help you identify a social engineering attempt.

As many cybercriminals are leveraging artificial intelligence (AI) to conduct more sophistocated social engineering campaigns, following the steps above will help improve your organization’s defenses against potential cyber threats.

When In Doubt…

If you receive a suspicious message or communication, don’t hesitate to wait before acting. Poor decisions are often made when rushed and cybercriminals know that. Therefore, if you sense a communication has a strong sense of urgency to it, let that only serve as an additional reason to report it to the proper authority and have them verify the communication. Always remember to:

• Report all suspicious communication according to your company policies.
• Do not trust or rely on any provided link. Instead, go to the actual website directly.
• Do not trust or rely on any provided phone number. Instead, look up the company’s phone number online, and contact that number directly.
• Do not trust or download any suspicious attachments or software.
• Do not overshare or provide any additional information about yourself or your organization.
• If the communication is via email, refer to the sender’s address. Keep in mind to pay attention to the full address as attackers often use the names of legitimate companies to help legitimize the domain (i.e., https://www.googleaccount.attacker.com).
• If the communication is via a phone call, hang up and dial the official phone number on the company’s website.
• If you notice an unfamiliar person in a place with restricted access, contact security or the appropriate resource.

How We Can Help

RedLens InfoSec, CampusGuard’s trusted security team, understands the significance of prioritizing social engineering. That’s why we offer a comprehensive Phishing Awareness course and social engineering assessments as part of our comprehensive cybersecurity offerings.

Our social engineering engagements identify your organization’s areas of weakness in a controlled environment—without the actual consequences of a data breach. We test, train, and secure your employees’ interactions with common social engineering tactics to prevent an actual attack.

Contact us to learn more about how we can help.