Ways to Mitigate Social Engineering-based Cyber Attacks

Social engineering is an attack mechanism majorly aimed at misleading employees or individuals to hand over relevant information for the attacker's financial gain. Social engineering attacks are launched mostly via email, social media, and over the phone.

Social media is an especially prevalent way for social engineers to obtain a users personal information. Divulging a lot of information online is a big issue that can make one fall for the cybercriminals scam. For example, when an employee of an organization shares a post online that shows customer information in the background, a proficient hacker could make use of the details to send a well-structured email or make a phone call specific to the user in such a way that he/she believes the email is from a legitimate source. A cybercriminal could also easily impersonate an employee with the information gathered on social media, and once the attacker gains access to the employee's system or password with the use of malware, he/she can snoop around for sensitive data. Some social media networks have made it easy for Social engineers to gather information about a company and the employees that work in it.

Social engineers will use whatever means possible to break into a Company's network to access and steal information. The common attack types used are indicated below:

Common Attack Types Used by Social Engineers

Phishing and Spear Phishing

Phishing is the biggest and the most common way of social engineering. It is a well-written email sent by social engineers that contains an attachment with malicious code when downloaded or could lead to a malicious site that requires you to key in your login credentials.

Spear Phishing is a form of Phishing targeted at specific people in the organization who hold sensitive information needed by the attacker.

Vishing

A form of Phishing where the attacker tricks the user over the phone to obtain sensitive information regarding the organization.

Baiting

Attackers leverage the greed and eagerness of users by offering a malware-infected external storage device in exchange for private information. For example, an attacker might drop a device that contains information relating to staff to be promoted; once the user picks up and plugs the device into a system, the attacker would have access to the user's system.

Pretexting

Attackers impersonate someone in authority or a co-worker to gain sensitive information from the victim. They can pretend to be bankers, tax authorities, etc.

Quid Pro Quo

The attackers call random individuals and claim to be from

IT support and will offer some technical assistance. Once they find users facing technical issues, they help resolve it and, as a result, gain access to the victim's computers.

Tailgating/Piggybacking

This is when an unauthorized person gains access to a restricted corporate area using different tactics. The attacker could trick authorized users that are unaware either by using words like, I forgot my keycard, or they might borrow an employees laptop and install malicious software on it.

How to Minimize the Risks of Social Engineering?

The following are some key ways to reduce the risk of information being obtained by social engineers:

Effective Training

Employees should receive proper training on how to identify and understand various tactics used by attackers. This training should guide an employee on how to adopt caution for:

• Emails with lots of grammar and spelling errors, incorrect URLs and misleading URLs that show a different URL when hovered on.
• Emails and phone calls from unknown sources.
• Physical access to one?s computer by a third party.
• Divulging personal information on unsecured websites, unknown email and over the phone.

Training should be done quarterly, at a minimum, to keep employees abreast of the latest attack mechanisms. All employees with access to personal identifiable information must be included in this training.

Appropriate Company Policy

At a minimum, the following policies should be in place to minimize the intrusion of cybercriminals:

• A Security Policy that provides guidance to employees on the appropriate use of social media.
• Acceptable Use Policy
• Password Management Policy
• Encryption Policy
• Backup Policy
• Access Control Policy

Third-Party Solutions

Research and implement the most viable third-party solution to minimize the risk of exposure of a company's information to cybercriminals. Some solutions are as follows:

• Secure Email Gateways that block malicious emails before they reach a mail server.
• A Managed Service Provider that will manage and monitor the Company's Network continuously.
• Insider Management Solution that would discover user activities in real-time and investigate incidents when they occur.
• Endpoint solution that also thwarts ransomware and spyware attacks.

At Wilson Consulting Group, we recognize that security is a top priority for businesses and government agencies. We offer staff training on the appropriate use of information assets and access control, and effective solutions that help protect a company's assets from exploitation by Social Engineers.

Wilson Consulting Group is an innovative global cybersecurity consulting firm. We offer Information and Cyber Security Training, Cyber Intelligence, Cyber Security Assessment, Penetration Testing, and Vulnerability Assessment Services to evaluate any threats that your organization may face and provide solutions to combat them.