Despite companies spending a lot of money to get the latest security tools and solutions in place, cybersecurity breaches are still common at organizations of all sizes.
A huge factor that contributes to this is that many successful attacks exploit users with social engineering techniques.
It’s not even necessarily that people are to blame for social engineering. Threat actors deploy cunning psychological tricks to dupe targets into performing certain actions or disclosing sensitive information. The best way to combat social engineering is through increased awareness of the tactics that hackers use. This article aims to help you and your users identify some of the main signs of social engineering attacks.
How Common is Social Engineering?
To put in context the challenges company face in dealing with social engineering, here are some useful statistics:
● 70-90 percent of data breaches involve a social engineering component in the attack
● The average company gets hit by 700 social engineering attacks each year
● 75 percent of cyber security practitioners regard social engineering as the most dangerous threat
It’s clear from these numbers that social engineering is a successful and widespread cyber threat that requires ongoing improvement in users’ ability to recognize the signs of attacks.
5 Signs of Social Engineering
The following list is not exhaustive, but it’s a good starting point to get users thinking more deeply about whether they are being scammed.
1. Requests That Are Out of the Ordinary
One of the trickiest aspects of social engineering is how advanced it’s becoming. Hackers sometimes break into a specific business email account with the intention of instigating fraudulent activity.
In one recent case, Europol busted a gang that committed fraud to the tune of 38 million Euros. The attacks involved breaking into business email accounts and then mailing the finance or accounting departments and requesting fraudulent transfers.
One of the most important lessons to learn is to be wary of requests that seem out of the ordinary. Even if a request comes from an email address that your users have interacted with dozens of times, a direct phone call to that person helps verify that the request is a legitimate one. Where large sums of money are involved, it pays to be extra cautious of strange or unexpected requests.
2. A Sense of Urgency
Creating urgency is a classical psychological trick that plays an important role in many social engineering attacks. Scammers try to send their messages with the intention of getting the victim to act right now for fear of potential financial, personal, or work harm or to solve a pressing issue. An example of this kind of tactic is when a target receives an email from IT support about urgently requiring access to their application or workstation in order to fix some issue. The user discloses their password without really thinking too much due to the urgent, high-pressure nature of the email. The intuitive nature of urgency combined with psychological tricks makes this a tricky sign of social engineering to spot. But in general, it’s worth asking users to always think twice about the legitimacy of an email’s source regardless of how urgent the request seems or how authoritative the source appears. Advise employees to take a couple of extra minutes to think things through when they see urgent requests, no matter who they come from.
3. Alluring Offers
Baiting people in with appealing offers is a rather brute yet quite effective social engineering tactic. One obvious choice is to tell people they’ve won a prize and direct them to a scammy website. However, most employees probably won’t get duped by the more obvious baiting tactics; these techniques tend to work on an older or more vulnerable demographic. Alluring offers can work within a professional environment too, though. For example, an employee sees a great discount for a tool that’s useful for their work or a certification that furthers their career. Yet the discount leads them to a scammy site that covertly installs malware on their laptop or workstation. A good rule of thumb with emails or texts containing offers is that if something seems too good to be true, there’s a good chance social engineering is involved.
4. Unexpected Verification Requests
With a lot of best-practice cybersecurity advice focusing on multi-factor authentication, people are used to receiving requests to verify their identities. Often, verification requests come in the form of one-time codes sent by email or text message. Exploiting the commonality of multi-factor authentication and other verification methods, hackers now incorporate this into their social engineering tactics. A frequently seen tactic is asking targets to verify their info by clicking a link that seems legitimate but actually directs the target to a malicious website.
These emails often come from seemingly trustworthy sources like Amazon, Paypal, Okta, etc. They’ll contain the correct logos and format of legitimate emails from those sources, which further complicates easy detection. In general, it’s prudent to be very cautious about any request to verify information that users don’t initiate themselves.
5. Poor Grammar or Spelling
Poor grammar or spelling are hallmark features of many low-quality social engineering attacks. It’s true that these attacks have a lower likelihood of succeeding, but watching out for poor grammar or frequent typos is one easy way to identify the signs of an impending social engineering attack. Alarm bells should definitely be ringing when emails purporting to be from companies or professional bodies contain basic mistakes. These organizations have the resources to hire competent email writers and to double-check that their customer-facing communications contain no mistakes.
Test Your Social Engineering Readiness
At DIESEC, we’re fully aware of how pernicious the threat of social engineering is for modern businesses. That’s why we’re here to test your company’s social engineering readiness and tailor user training and awareness based on the results. Our team of experts perform social engineering tests under real conditions and then use results-based advice to strengthen social engineering awareness.