Every employee in your company, no matter how well-intentioned, is susceptible to social engineering based cyber-attacks. Cisco reported that in 2022, 86% or organizations polled had at least one employee who unwittingly clicked on a malicious link. Whether emanating from social media or email, social engineering (most often via phishing attacks) is the most used and most effective methodology to exploit even the best-intentioned authorized user.
What is Social Engineering?
The best example of social engineering is when an attacker obfuscates their true identity and leverages social skills to engage a potential target. The attacker might masquerade as a fellow employee, a friend of a friend, an interviewer, a systems administrator, or countless other plausible identities. The most skilled attackers will showcase some ‘insider’ knowledge about the target (or the target’s company) to legitimize themselves and put the potential victim at ease. They exploit that budding relationship to get additional information from the target that can lead to developing unauthorized network access via authorized credentials. Sometimes attackers will target multiple authorized users of the same network and develop different, seemingly innocuous information from each that, when aggregated, becomes meaningful and provides a path to network access.
What is Phishing?
Phishing is the most common social engineering technique. According to IBM Security’s Security Intelligence blog, 95% of enterprise network attacks in 2023 relied on phishing to gain entry. Phishing attacks most often use email or malicious web sites to develop information enabling the attacker to gain a foothold in the target network. The attacker portrays themself as a trusted source and solicits information from the target that will enable access to the network. Attackers assumed identities run the gamut from posing as charities, financial institutions, political groups, or myriad other seemingly virtuous entities.
Defending Against Social Engineering-based Phishing Attacks
As attackers become more sophisticated, their attacks look increasingly authentic – making these overtures hard to identify. That’s why they work! As users, we must educate ourselves to know what to look for to separate the wheat from the chafe.
There are a few tell tale signs that unmask phishing attacks – you just have to know what to look for.
Be suspicious of any email that does not address you by name. ‘To Whom it May Concern,’ ‘Sir/Ma’am,’ etc., are indicators that the sender may not know you and should drive you to look more closely at the engagement.
Check hyperlinks and websites contained in the email closely before clicking them! They often masquerade as a legitimate site, but with slightly nuanced (different/incorrect) spelling of well-known prominent organizations. ALWAYS examine the URL itself prior to clicking an embedded link.
Examine the email address of the sender and the signature block. If you do not recognize the information, or if it is lacking in sufficient detail – beware. If you cannot verify the identity of the sender, there is a good chance you’ve encountered a phishing attack.
Attachments are dangerous! NEVER open an attachment if you cannot verify the identity of the sender and the veracity of the attachment.
Poor grammar and odd sentence structure are indicators that the email may be auto generated or emanating from a foreign actor. If you note either of these, there is a good chance that it is a malicious actor.
You Can Prevent Phishing Successes
It is essential to be aware that phishing happens all the time. We must put aside our natural trusting nature and take a sharp look at any email we cannot verify the source of. Examine in detailed fashion every piece of a sender’s email address and every detail of any URLs or attachments embedded in the note. Just as importantly, never divulge personally identifiable information or sensitive company information in response to an email solicitation!
As with most cybersecurity challenges, layered defense makes for the best defense. We must rely on network administrators to install and properly configure security tools to keep malicious content from getting to the users. That is not fool proof, however. Even the best security measures cannot prevent some potentially malicious content from getting to the desk of a user. At that point, we must rely on our security awareness program’s educating of the user to identify malicious content and avoid falling prey to it. Many organizations have security awareness and education programs in place, but if you do not – you need one!
Comments