Cyberattacks are often considered to be highly sophisticated operations that use complex techniques to bypass security measures. However, most are quite simple, relying on social engineering tactics to manipulate individuals into divulging confidential or personal information.

Social engineering is a technique that requires no programming skills, advanced tool sets or technical knowledge. Attackers simply exploit people’s natural tendencies to trust and help others, their desire to avoid conflict or negative consequences, and their inclination to comply with authority figures. By leveraging these emotions, social engineers can manipulate people into giving up sensitive information, downloading malware or taking other actions that serve the attacker’s purposes.

Social engineering is the most-common form of Internet crime, according to data compiled by the FBI’s Internet Crime Complaint Center. There were 323,972 social engineering complaints in 2021, more than any other type of cybercrime combined. It’s estimated that up to 90 percent of all cyberattacks have social engineering components.

Most Common Versions of Social Engineering

The most common version of social engineering is phishing, in which attackers use spoofed emails or text messages that appear to come from a trusted source. These messages typically contain a link or attachment that, when clicked, takes the victim to a malicious website or installs malware on their device. In other cases, an attacker impersonating a trusted individual will seek a transfer of money or sensitive information.

Other common techniques include spear-phishing attacks tailored for a specific individual or organization, whaling attacks targeting senior executives or other high-profile individuals, and baiting attacks that offer rewards or incentives in exchange for the victim’s participation. Vishing or smishing attacks are delivered via voice calls or SMS text messages.

Social engineering is on the rise because it is a low-risk, high-reward attack for malicious actors. But it’s costly for the victim. According to IBM, the average cost of a data breach with social engineering as the initial attack vector is more than $4 million.

Preventing social engineering attacks requires education, vigilance and a robust cybersecurity strategy. Here are some of the measures that individuals and organizations can take to prevent social engineering attacks:

• Educate employees. Training should cover different types of social engineering attacks, how they work and how to respond to them. Training should emphasize three essential practices for avoiding phishing attacks — don’t open emails from senders you don’t recognize, don’t click on email links if you aren’t sure they are legitimate, and don’t open email attachments unless they are expected and come from a trusted source. Test employees with simulated phishing emails to see if they can recognize current threats and techniques.
• Implement multifactor authentication. MFA solutions help prevent unauthorized access to applications, systems and services by reducing reliance on passwords and unsafe password practices. This reduces the risk of social engineering attacks that involve stealing passwords or other credentials.
• Use content filters. Filtering solutions use various techniques to identify and block suspicious emails before they ever reach users’ inboxes. Mobile device management solutions often include a filtering component for remote and mobile devices used outside the network.
• Segment the network. Segmentation limits risk by breaking up the network into smaller, isolated parts to prevent malware from propagating throughout the network.
• Enforce strong password policies. Require employees to create complex passwords and change them regularly. It’s also a good idea to require unique usernames and passwords for different systems and services.
• Implement access privileges. Specific procedures should state who has access to various parts of your network and how. These procedures should also state who is authorized to approve access and who can approve any exceptions.

Advanced Email and Web Security Services

GDS offers advanced email and web security services, multifactor authentication and security awareness training necessary to identify and stop social engineering attacks. Contact us to learn more.