In the most simple terms, a social engineering attack is when one person manipulates another to gain access to systems, networks or locations, or for financial gain.

In many cases, a social engineering attack is fronted by someone posing as a trusted source such as a bank or customer support. They build up the trust of their target, using their alleged position to persuade people to drop their guard and provide confidential information in order to gain access to data. Just as people tend to accept people who wear a badge as people of authority, hackers persuade others that they are figures of authority to gain trust and encourage their target they want to be helpful.

Social engineering scams are often used by hackers who want to gain access to systems because technological security is so advanced. People tend to be much easier to manipulate, and many will give help to someone posing as a colleague or even an online advisor simply because it is the socially acceptable thing to do. In other words, people are much more vulnerable because, ironically, we want to help.

We asked our security experts:  What are the more frequent or common social engineering attacks organizations experience?  What steps can be taken to prevent them?

Our Cyber Security Experts

rema deo Managing Director at 24By7Security,

Rema Deo

CEO and Managing Director at 24by7Security Inc.

Rema is certified as a Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2. She holds a certificate in Cybersecurity: Technology, Application and Policy from the Massachusetts Institute of Technology.

The most frequent social engineering attacks are caused by phishing. Phishing is known to be the leading cause of ransomware.

Tailgating is another way in which attackers may obtain information or plan or execute a cyber attack by physically gaining access to your premises, especially sensitive areas.  In businesses, whaling is also a popular social engineering method, distinguished a bit from phishing in that whaling targets are usually high-value targets like executives or high ranking government officials.

      1. Do not allow tailgating into the office premises. If someone asks you to let them into the premises, do not let them in unless they have the appropriate credentials and authorization to be in the premises.
      2. Phishing, vishing, spear phishing, and whaling are forms of social engineering.  Do not click on unknown links in emails or messages.
      3. Check the sender’s email address before taking any action.  If suspicious, report the email to your security or compliance officer.
      4. Do not provide your password to anyone.  If you have inadvertently provided your password for any of your work systems to someone, change those passwords immediately.
      5. If you have any reason to doubt the instructions provided by a colleague or executive via email, be sure to call or otherwise confirm before implementing. Especially if those instructions are likely to grant access to someone else, or to wire funds or anything that might adversely impact the company.
Click Infographic To View Full Size
mike bousquet from Groove Identity & Access Management

Mike Bousquet

Co-founder & CEO, Groove.id Inc.

Phishing remains so pervasive because it is effective. Even sophisticated, well-trained end users can fall victim to a well-crafted phishing email that lands in their inbox. Attackers utilize many different strategies to harvest the credentials of valid users. Nearly every data breach involves stolen passwords. The result is that at some point in every intrusion, the attacker stops hacking and starts just logging in, making it very difficult for IT & security teams to detect their presence and prevent data loss. Unfortunately, despite significant investments in technology and user education, this trend is likely to continue.

Preventing phishing attacks is a significant challenge. Email security solutions help, but like anti-virus software, it’s a never-ending battle to keep up with changing attacker tactics. Some bad traffic inevitably finds its way through the controls. Training and educating users is a worthy step toward building up a defense against human error. However, expecting people to demonstrate flawless performance in identifying phishing attempts is unrealistic. Most people are just trying to get their jobs done productively.

We believe a better solution is to focus on removing the target the attackers seek: account credentials.Passwords have been in use for over 60 years as the mechanism to identify valid users of a technology service and its time to decommission them. Even two-factor authentication has limits tied to a fundamental architecture that relies upon something a user knows that they can easily be tricked into giving up. A better approach is to leverage modern identity solutions that eliminate the use of passwords.

Today, technologies like hardware security keys, user behavior analytics and biometric authentication methods can be combined to eliminate passwords. When that happens, there’s nothing for users to remember and nothing for attackers to steal, which closes off the attack surface that phishing attempts to compromise.

Paul Bischoff from Comparitech

Paul Bischoff

Privacy Advocate with Comparitech

Paul Bischoff has been covering IT-related subjects since 2012. He previously worked as the China editor at Tech in Asia and is a regular contributor at Mashable, as well as several blogs for internet startups around the world.

When talking about social engineering attacks against organizations, we’re mainly referring to phishing.
Phishing campaigns against organizations are typically more targeted than your typical Nigerian prince scam. Spear phishing attacks can target specific staff members or departments, and common targets include IT staff, executives, accountants, and human resources staff in charge of payroll and tax documents. Scammers may impersonate other employees or executives at the company, or the company bank, an affiliate, or a contractor. The goal of a phishing attack is to get private information. This can range from employee tax documents to passwords to financial information, and in some cases even trade secrets. Other scams may attempt to trick staff into transferring money to the criminal.

Companies can prevent such scams by raising awareness about phishing and implementing clear dos and don’ts for staff.

For example, staff should know the warning signs of phishing emails, and no sensitive information should ever be sent in an email. Safeguards should be put in place so that staff in possession of such valuable information can verify the identities of whoever requests it. For example, the HR department should contact an executive by phone before making any non-routine money transfers. Companies can test their policies with their own imitation phishing campaigns to ensure everyone can reliably spot and prevent phishing.

Oliver Münchow at Lucy Security

Oliver Münchow

Security Consultant and Evangelist at Lucy Security

Oliver Münchow has worked in IT security since 1998 and in 1999 started his first company specializing in penetration testing. His current company, Lucy Security, helps build employee awareness and uncover vulnerabilities in their infrastructure. He conducts training courses including Certified Ethical Hacker (C|EH) and the Open Web Application Security Project (OWASP).

While phishing attacks via email, social media or SMS are undoubtedly the most common, it is wrong for a company to focus solely on these attacks.

The danger of an employee entering a password on a hacker-controlled website, for example, is often overestimated. I was once contracted by a nuclear operator to use social engineering to penetrate secured facilities, so more effective methods were used. This included, above all, face-to-face contact on site. With a good story and the right clothes, you can always gain the trust of employees.

Once on site, there are no limits.

In the beginning, we installed Trojans on servers under the pretext of IT support. Later we walked through the rooms with trolleys and simply stacked the servers and laptops on them and walked out with them. The possibilities are limitless.

So what can you do?

Employee sensitization is undoubtedly essential. But you never cover all use cases anyway, and in the daily business, the learned is quickly lost. Helping is only a matter of very clear guidelines that have to be adhered to. If, for example, an unannounced visitor comes, this must be verified with the responsible person. If you see an unknown person in the corridor without a badge, this must be reported. And so on.

Ryan Manship

Ryan Manship

President of RedTeam Security

Ryan has a BS in Information Technology with an emphasis on Networking and Security and regularly speaks at various security events.

Three of the most common types of social engineering are:

Credential harvesting: This is what it sounds like. You have some website or something you sent directly to the target, prompting them to enter their credentials. When they do so, their credentials are sent to the attacker. Preventing this attack is as simple as not entering your credentials into anything you don’t trust or expect. If you encounter a prompt for credentials which you have not seen before, check with your IT or security department before entering credentials.

Clickbait: This is very simple and typically only used in SE campaigns to test employee awareness. The objective is to entice the targets to click a link in a phishing email. If the user clicks the malicious link, typically, that activity is logged. Occasionally, the link may open something telling the user it was a phishing test. This isn’t as prevalent in the wild because it doesn’t get the attacker anything. Attackers want something from the user and just clicking a link is often not enough. While this is not a typical attack in real life, this attack could be combined with some other tactic designed to remotely do something to the targets machine, browser, or something else (and may even still show the test splash page). Employee awareness training and learning not to click on unexpected links are how you train users to avoid these kinds of attacks.

Gaining access to the target’s system. This can come in many different varieties. The attack could include an attachment with a document. The document may prompt the user for some permissions, or it may not. The attack could also contain a link. That link could appear to do anything (or nothing), but it may also initiate a download or otherwise run malicious code in such a way as to compromise the targets system.

No matter how this is achieved, the result of this attack is that code is executed on the target system in such a way that a connection is created out to the attacker. The attacker may then use that connection to further exploit that target system and possibly even pivot within the company network. Preventing this type of attack requires employee awareness training, but technical solutions can also help to mitigate the likelihood of such an attack being successful.

In short, nearly all social engineering attacks are designed to do one of those three things. This doesn’t mean that all of them will use these techniques, but those are most likely.

A motivated, and creative, attacker may come up with a derivative of this or something entirely novel when creating an SE campaign against your company’s users.

Mike Brengs Managing Partner, Optimal IdM

Mike Brengs

Managing Partner, Optimal IdM

Michael Brengs has over 20 years of experience in the software industry and has been deploying identity management solutions since joining OpenNetwork Technologies in 2000. He is currently Chief Revenue Officer and a managing partner with Optimal IdM.

Frequent attacks most commonly are emails crafted to look “legitimate” such as saying “Bank of America Customer Service” for the display name of the “from” in the email. But if you look at the detail of what the real email account is, it may be something entirely different.

Look at any hyperlinks by hovering over them (don’t click!). The text of the hyperlink might look legit, but the actual redirect URL could be something bogus. Look for misspellings or poor grammar. Many scammers are not native English speakers and make grammatical mistakes. Never give up any personal information from an unsolicited email. If your gut says this is “fishy,” it probably is Phishy.

Do NOT click on any attachments from unknown sources. If this is your corporate email, notify your IT staff.

The 2017 Verizon data breach report states that 81% of hacking-related breaches leveraged either stolen and/or weak passwords. And that makes sense because the human element of any security system will always be the weakest link.

But there is a simple step to reduce the chances of being hacked.

Get security training. Often, employers provide education about security vulnerabilities, like e-mail phishing, ransomware programs, and social engineering.

What should you do if you fall for a phishing campaign?

Re-set the password for that site. Do NOT use a password or login information similar to another site’s password. Monitor that account closely for at least 90 days on a daily basis. If a bank or other sensitive nature, contact them.

Jonathan Broche headshot

Jonathan Broche

President, Leap Security 

Jonathan Broche is the Founder of Leap Security Inc., an Information Security company specializing in adversary simulation. With over ten years of experience in Information Technology, Jonathan specializes in penetration testing, social engineering, and secure system configurations. Jonathan is recognized for his exploits and open source tools.

We are living in an era of security where users are becoming more aware of social engineering attacks. Organizations are implementing and enforcing security awareness training more, and this is great. This is something security professionals have been pushing to accomplish for years, so seeing it being done is satisfying.

Attackers, however, always stay one step ahead. What we see now in the industry is a move from generic social engineering scenarios too much more targeted. Attackers are now taking their time to craft social engineering scenarios. Before sending out an email, making a phone call or physically approaching an organization or individual, they are doing their research.

Common Attack Vectors

They use information that is publicly accessible on the internet to gain more knowledge about their target. Most individuals enjoy posting their professional accomplishments on LinkedIn. More often than not this includes technologies implemented within an organization. Others share information on social media and don’t adequately protect it allowing attackers to get an understanding of what someone’s likes or hobbies are to build rapport and gain trust during an interaction quickly.

The goal of the attacker is to use social engineering to build trust and leverage that trust to obtain information. A typical attack is having users open an email attachment, or visit a website. By leveraging mshta.exe to execute code and compromise the system ultimately. The same goes for phone-based social engineering; the attacker will build trust and leverage that trust to have the user to visit a website or open an attachment.

Prevention

Ensure that users do not provide information unless they confirm the identity of the individual calling them.

Also, teach individuals within your organization to communicate. If someone suspicious calls them asking for sensitive information, or they receive a phishing email inform! If individuals communicate then the IT Security department within the organization can act quickly to blacklist that domain/email to ensure it doesn’t spread.

Consider implementing an email protection solution within your environment that’ll protect from spam, malware, or threats. Email protection technologies will automatically scan incoming emails and attachments giving more control to network administrators.

Lastly, organizations should continue to perform security awareness training on users. Then, leverage an Information Security company to perform social engineering to determine the real world risk within their organization. Social engineering assessments will allow organizations to test their users knowledge in a simulated attack.

tom desot

Tom DeSot

EVP and CIO of Digital Defense, Inc.

Currently, the most popular form of social engineering is “whaling.”  Whaling, for the uninitiated, is a social engineering attack either from a phone call, or more than likely, a well-crafted email that is targeted at the C-Suite within an organization.  Typically, the attacks ask the end user to either make a transfer of money or to approve the transfer of money to a foreign bank account.  Often the email is urgent and prompts the reader to take quick action to resolve the matter.

Another type of attack that remains active and successful is the “USB drop.”  In this scenario, the attacker drops USBs near employee entrances or other entry points.  The USB flash drives are often labeled “Bonuses 2018” or “CEO Salary Review” to prompt the user to want to put the USB in a computer to look at the contents.  When the user executes the file (a fake spreadsheet or Word document), the file can attempt to infect the system with a virus or other types of malware such as ransomware or it may attempt to exfiltrate data that is located on the user’s computer and transfer it outside the organization.

User training = Prevention!  Users are the first line of defense when it comes to any type of social engineering attack. They should be trained in ways to recognize social engineering. If they have been appropriately trained, spotting “whaling” attacks and avoiding USB drops, the company stands a much better chance of withstanding an attack. What is critical is that this training takes place from the C-Suite all the way down to frontline staff to ensure that the entire organization is aware of the dangers of social engineering.

Another way to protect the organization is to hire a firm to conduct a “live fire” exercise against the company and send in fraudulent emails or conduct USB drops and then measure how well the organization reacts to the exact.  This is a perfect way to determine if the training that is being undertaken is sinking in and is being retained by staff at all levels.

jeff wilbur from the Online Trust Alliance

Jeff Wilbur

Technical Director of the Online Trust Alliance

Jeff is technical director of the Internet Society’s OnlineTrust Alliance (OTA). The Online Trust Alliance is an initiative of the Internet Society, the global non-profit dedicated to ensuring the open development, evolution, and use of the Internet founded by the “fathers of the Internet,” Vint Cerf and Bob Kahn.

By far the most prevalent social engineering attack on organizations involves spear phishing.

Fake email pretending to be from a company executive, employee or third-party vendor that requests the recipient open an attachment or perform an action. The message can seem as innocent as an attached monthly report (which actually contains malware), or as serious as a request to transfer millions of dollars to a “new” account or to send sensitive employee information to a personal email address.

By mining information from public sources (such as where an executive is traveling or who an organization’s third-party vendors are), attackers can create compelling social engineering ploys that ring true to company employees, and the urgency of the requests can cause employees to abandon standard precautions.

Since most of these attacks happen via email (though more are happening via telephone as well), it is important to build in proper layers of defense.

For email protection, the first step is the implementation of email authentication technologies that can verify whether a message is coming from the purported sender. This allows malicious messages to be discarded immediately.

Additional steps are email security services that assess the legitimacy of messages from unfamiliar senders and scan attachments for installing malware. Messages thought to be at risk can be examined more closely or discarded. Finally, for emails that make it through to the inbox (and this would cover phone calls as well), it is crucial that employees are alert to such scams. Established processes should be in place to verify the request or require multiple executives’ approval on large financial transfers or access to sensitive data.

Amar Singh headshot from Cyber Management Alliance

Amar Singh

Industry Influencer & Leader, Amar’s an experienced cybersecurity and privacy practitioner, guest lecturer at universities, CISO, and a mentor.  An industry acknowledged expert and public speaker Amar’s regularly invited to speak and share his insights by organizations like BBC, The Economist’s Intelligence Unit, FT, SC-Magazine, Computer Weekly and The Register.

The good news is that the complexity of social engineering attacks are NOT yet AI, or Machine Learning powered, but we are probably not far from that day. Its sad news because we, humans and organizations, can’t seem to protect ourselves from what are ridiculously lousy quality phishing attempts, what chance to do we stand when cybercriminals employ machine learning and or AI.

Phishing emails (not targeted phishing) are still the weapon of choice for most wannabe and established cybercriminals. SMS text-based phishing carries on as another one that still seems to work for criminals. I would argue that the industry is causing unnecessary confusion by deriving complex monikers for what is essentially the same problem.

Interestingly as LinkedIn is increasingly becoming the external, B2B-communication medium of choice so are criminals turning to it for launching social engineering attacks. There seems to be a certain level of inherent trust when a stranger, with a reasonable sounding title and employer, reaches out to connect and share files and exchange information.

Merely educating and making the end user aware of this threat is NOT good enough.

Technology must underpin and provide transparent data security where the overall damage to the business and user is low, even if the user does open a malicious file or enters his or her password.

Trave Harmon CEO Triton Technologies

Trave Harmon

Chief Executive Officer at Triton Technologies

The first rule: Do not put any contact information in any shape or form on your website in regards to the operation of your business. No CFO, no account manager, just a generic email and or I link to a generic email within the company. Email such as bills@, AR@ our best practices which for our clients has been a boon.

I also recommend utilizing cloud flare to stop any scraping of the website of personal or corporate information.

The most common scams I see in order are:

  1. Your account is suspended/email cannot be delivered / over quota. Usually associated with office 365 accounts.
  2. A sum of money needs to be transferred, to a charity, outstanding invoice, or repo company, usually representing the CEO to the CFO or office manager.
  3. Attached is your document that you are looking for, FedEx shipment, UPS shipment, scan details, or more. This is usually associated with targeted malware if you are a publicly traded company, or are on a public list of some type.
Greg Scott

Greg Scott

Cybersecurity Professional & Author of Bullseye Breach and Virus Bomb

Far and away, the most common social engineering attacks come via email. Email security has an architectural weakness that allows anyone to impersonate anyone else. Attackers exploit this weakness in all kinds of creative schemes. If Alice trusts Bob, Criminal Carol might impersonate Bob and try to persuade Alice to do something stupid. We all see these every day with emails claiming to come from our banks or credit card companies. Or fake invoices. Or variations on the Nigerian prince. Or phony tech support schemes. The only limit is the creativity of the attacker.

Fun with names is also a biggie. It’s really a subset of phishing, but prevalent enough for a mention on its own. Let’s say, Clarence, pretending to be Bob, sends Alice an email with a link to, say, a favorite cake recipe. The link points to recipes.bob.com.abazillionweirdcharacters.evilclarence.com.

Alice sees the first part of that name and assumes it’s a safe link. So she clicks or taps it. But she doesn’t know how Internet names work, and so she ends up on Clarence’s evil website, where Clarence steals every piece of information inside her computer. She defends herself by investing 10 minutes into education about how names work and staying vigilant.

Malicious emails aren’t the only attack vector. People fall victim to fake tech support calls all the time. If somebody calls unsolicited and claims they’re from Microsoft, or maybe the corporate IT Department, and they want to fix your computer, just say no. I had fun with one such call when I asked where the caller was from and he said, downtown Ohio. I asked him if his mom knew he was stealing from people.

Trust violations can also do it. Visit a site pretending to be, say, Amazon or maybe your banking site, and unwittingly give away your credentials. Sometimes phishing schemes entice us to visit imposter sites; other times its typos in the URL. Defend it by being aware of certificate anomalies, but even that is not one hundred percent effective.

In general, attackers are intelligent, they collaborate, and they want to manipulate you into doing something against your own interest. Fight back by staying vigilant and exercising skepticism.

Unfortunately, no technology exists to prevent social-engineering email attacks. The key to prevention is education and vigilance.

ron schlect btb security

Ron Schlecht

Managing Partner BTB Security

Ron has almost two decades of experience in cybersecurity and regularly performs penetration tests on companies, which includes social engineering, to find and then secure companies’ weak points.

Believe it or not, the fake email asking employees to log in to a company look-alike website, or to download software updates still seems to get most organizations. Any time an employee reads an email and feels like they should help a coworker by downloading something or clicking a document, it should be suspect.

All companies should take the time to educate their employees on the types of communications they receive from the within the organization. Also educating with examples of spam and social engineering, and on the impact, fraudulent emails can have on the organization.

To help prevent social engineering attacks, companies also need to make it simple for employees to identify whether a message is an attempt at social engineering and to report it quickly. Furthermore, just like other security assessments, organizations should be performing computer security exercises regularly to test employees, technical controls, and incident detection and response.

Gregory Morawietz

Gregory Morawietz

VP of Operations Single Point of Contact

Gregory is an IT Security Specialist with over twenty years’ of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting and integrating technology for the enterprise network.

Employ Access management. Restrict remote access to key files only to the people that require them. Try and use whatever MDM (Mobile Device Management) software capabilities that are available or even buy an MDM product. This way you can use mobile wipe device and control data that is on your employee’s devices. Beware of phishing attacks and ensure your procedures for pay, and commission to employees.

I have seen hackers infiltrate a company’s financial procedures and use false domains to get money wire transferred to accounts.

Be suspicious of emails. Train employees to check and recheck email domains.

Try and let employees also know that whatever they post on social media might be able to be used to launch a phishing attack on them.

Beyond training and education. Some companies now regularly launch phishing attacks on employees so they can see who might still be susceptible to attacks or who might need some additional training or help.

Robert Siciliano

Robert Siciliano

Security Awareness Expert & Best Selling Author at Safr.Me

Robert is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security. He is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds.

Telephone and inbound email communications are ripe with fraud.

Employees need to be tested again and again. When they fail, they need to be reminded and instructed what to do when they receive such communications.

Consistency is critical while making it fun, and interesting. Repetitive training utilizing Phishing simulations is the best way to keep employees on their toes.

Steven Weisman

Steven J.J. Weisman

Attorney & College Professor at Scamicide

Steve Weisman is an attorney, college professor at Bentley University where he teaches White Collar Crime and one of the country’s leading experts in cybersecurity, scams and identity theft.  Among his ten books are “The Truth About Avoiding Scams” and “Identity Theft Alert.” identity theft.

By definition, social engineering depends on personal information of the targeted employee to be manipulated to disseminate information in an email or text message.

Companies should consider how much information they make public about their employees.

Company policy should have rules regarding social media use by employees such that they do not provide information to be used to make them victims of such socially engineered attacks.

Training employees never to click on links unless they have been verified is critical.   Social engineering by which employees are lured to bogus websites or click on tainted links in emails or text messages that have been specifically tailored to appear trustworthy is the primary way that a variety of malware including keystroke logging malware and ransomware is delivered. Also, companies should consider the use of whitelisting or antivirus software which will prevent the downloading of any software that has not been previously approved. This provides tremendous protection even if an employee clicks on an infected link.

Malware that can steal data can be used for purposes of identity theft of both employees and clients. Malware can steal financial data used to access company bank accounts or social engineering, such as in the case of the Business Email Compromise can convince an employee to send payments to the thief believing it is a legitimate transaction.

Employees are also targeted by spear phishing emails to lure them into clicking on links in emails and downloading a wide range of malware.

Ransomware or malware can harvest company financial information that can be exploited for identity theft or direct theft from financial accounts of the company.  Companies should make sure that they are using the most up to date security software that can recognize spear phishing emails.

It is also essential to update security software as soon as the latest patches are issued. Equifax suffered its massive data breach when a vulnerability in its Apache software was exploited although Apache had a patch for the particular vulnerability months in advance. However, Equifax failed to update its software in a timely fashion.

Social engineering also encompasses infected bogus websites that may be attractive to employees.  Certain types of websites should be blocked by work computers or devices.  Also, some advanced kind of malvertising malware can be downloaded merely by going to the infected site without even clicking on anything.  This type of malvertising can often appear on legitimate websites which is why it makes sense to use adware software to prevent it from being downloaded.

Education is the most essential part of protecting companies from social engineering attacks. Education should be an ongoing process with frequent testing of employees as to vulnerability management.

Of course, security software that can recognize phishing emails should be used, but companies should realize that this type of software is far from totally effective.  For this reason, companies should also consider using whitelisting software that will not permit the downloading of any program that has not been previously approved.  This is good protection from when social engineering manages to convince the employee to click on an infected link because it will prevent the malware from being downloaded.

dennis chow Chief Information Security Officer

Dennis Chow

Dennis leads the Cyber Threat Intelligence planning grant for the entire U.S. healthcare vertical in collaboration With DHS and Health and Human Services.

The most common attacks are through the mediums from email, text messaging, and social media. At the end of the day, the attackers are interested in direct passwords, credit card numbers, or answers to password recovery questions for password resets. The victims tend to vary, but it is almost always everyone in the organization because there’s some form of network access.

It’s not feasible to ‘prevent’ them per se, but you can reduce your risk and threat surface as a whole including:

  • Unsubscribing and reducing your sign ups with 3rd parties and advertisements. The more your email or names associated with an email list, the more eyes have access to target campaigns on their victims.
  • Take security awareness training seriously and look for signs that an email or other communication ‘isn’t quite right.’
  • Encourage your cybersecurity or IT provider to enhance their spam filters and PBX call filtration systems.