Cybersecurity breaches are at an all-time high, with business and IT leaders scrambling to deploy technologies to protect confidential data. While technology solutions are critical to maintaining security, the weakest link in any business is not the email services or the office software, it’s the staff.
Sophisticated phishing and spear phishing attackers use a mix of social engineering and spoofed email addresses to obtain information they shouldn’t have access to. When these attacks are aimed at a business, hackers could access sensitive data belonging to both employees and customers.
While these attacks are growing in awareness, there’s a reason they still exist: People fall for them. And a hacker only needs to infiltrate one person, building enough credibility or trust that convinces the staff member to them to provide confidential information or click a fraudulent link.
Many hackers are now turning to the phone with social engineering tactics to lay the groundwork for an attack. They’ll often pose as someone within the organization, a customer or outside vendor and convince the employee on the line to open an email they’ve sent. A phone conversation can build trust that couldn’t otherwise be gained by an email alone.
Imagine this scenario: An employee answers a call from someone who claims to be a co-worker at another location or perhaps a long-time trusted partner. The caller asks for confidential information that would not otherwise be shared, such as login details, and the employee provides the information. Now the hacker can break into the network or gain access to otherwise secured information.
In other cases, the hacker employs email-based social engineering tactics. In this case, the person may send a realistic-looking email – perhaps even one that appears to be a well-known colleague – and asks the recipient to click a corrupt link within the email. Once the hackers obtain the desired information, it’s often sold and used to infiltrate everything from bank accounts to healthcare records.
One of the best defenses against social engineering hacks is to implement end user training and test for failures – particularly around email.
Email policies should be created in a manner that reduces risk of a social engineering attack, while addressing your organization’s specific challenges and goals. Consider the following basic policies for internal emails:
- Don't send e-mail in HTML format
- Don't send unrequested attachments or hyperlinks
- Don't include or ask for personal information
- Use the full name of the user
One way companies can help users minimize the risk of attack is to require a specific format for how each message is written. This provides an identifying element for users to verify each internal correspondence. If an internal email doesn’t follow that format and includes a link, it could serve as a red flag for something suspicious. While it’s possible the sender accidentally failed to follow the format, touch base with the sender. The recipient can quickly call or IM the sender via phone to authenticity and prevent a potential infiltration.
Another simple precaution against social engineering is to instruct staff how to create strong passwords, and continually update them. Most computer users – from consumers to office workers – tend to be lax about creating difficult passwords and changing them often.
You can’t accurately fix a problem if you can’t quantify it. Nearly 80% of organizations don’t conduct security testing, leaving them vulnerable to attack. You can perform simple, but effective tests to gauge your vulnerability to social engineering threats. Conduct periodic penetration testing by sending end users suspicious—yet harmless—emails to gauge whether or not they open them, respond to them or click on imbedded links. In addition to regular staff education and reminders, enroll these employees in one-on-one trainings, helping them better recognize and resist typical social engineering techniques.
The next step is to collect data and set improvement goals. With each penetration test, record how many employees fall for the ruse. If the training programs are effective and successful, the failure rate should reduce with each penetration test.
The sophistication and instances of social engineering attacks continue to rise, and it’s clear that organizations need to be ready to prevent infiltrations from every angle. No single solution can keep you as safe as you need to be. Security policies and training should be reviewed continuously to keep up with the changing threatscape, and your end users must be well-prepared to fend off social engineering ploys.
About the Author
Troy Gill, GPEN, is a Manager of Security Research at AppRiver. Gill is primarily responsible for evaluating security controls and identifying potential risks. He provides advice, research support, project management services, and information security expertise to assist in designing security solutions for new and existing applications.