Common Social Engineering Tactics to Watch For
Cyber-risk and liabilities update
Social engineering refers to a cyber-attack method in which a cyber-criminal preys on key human behaviours (e.g., trust of authority, fear of conflict and promise of rewards) to obtain unwarranted access to a targets’ technology, systems, funds or data. These attacks can be deployed through various tactics, such as digital impersonation, deceitful messages, or malicious software (known as malware). Social engineering attacks have become a significant threat to businesses of all sizes and sectors; after all, anyone can be targeted in these incidents—including entry-level workers, managers, and CEOs.
It’s crucial for businesses to be aware of frequently utilised social engineering methods and adopt effective cyber-security measures to help mitigate these incidents. This article outlines common social engineering tactics to watch for and offers associated prevention and response tips.
Common Social Engineering Techniques
In a social engineering attack, a cyber-criminal implements several manipulative tactics to lure their target into performing actions that they normally wouldn’t. Some common social engineering methods include the following:
- Phishing—This technique involves cyber-criminals leveraging fraudulent emails to trick recipients into providing sensitive information, clicking malicious links, or opening harmful attachments. To make their emails appear genuine, cyber-criminals will often impersonate trusted sources (e.g., a colleague or well-known organisation) and feign a sense of urgency to rush targets into acting. In addition to traditional phishing, cyber-criminals may attempt to manipulate targets over text messages or phone calls (known as smishing and vishing, respectively).
- Spear phishing—A spear-phishing scheme typically focuses on specific individuals or companies and uses personalised information to convince targets to share their data. In these instances, cyber-criminals will research targets’ online behaviours, such as where they shop or what they share on social media, to collect personal details that make their schemes seem more legitimate.
- Business email compromise (BEC)—Such a technique refers to cyber-criminals posing as business leaders or partners (e.g., executives, senior-level employees, vendors, or suppliers), often for financial gain. Cyber-criminals generally deploy BEC scams via email by creating fake accounts for business leaders or partners and using deceiving messages to trick targets into transferring money, divulging financial data, or changing banking details.
- Baiting and quid pro quo—Through baiting, cyber-criminals make false promises to persuade targets to share data or download malware. These false promises may appear in the form of fraudulent pop-up advertisements or deceitful online promotions. For example, a cyber-criminal may use a false advertisement for a free movie download to trick their target into installing a virus on their device. Like baiting, quid pro quo incidents involve cyber-criminals promising to provide something valuable to their targets (e.g., an e-commerce coupon code or discounted security software) but only in exchange for the targets’ sensitive information (e.g., contact details, bank account numbers or login credentials).
- Pretexting—This technique consists of cyber-criminals impersonating a colleague, community leader or authority figure (e.g., a police officer, government employee, bank employee or tax official) and asking targets to provide sensitive information to confirm their identities or help complete critical tasks and assignments. Some of the most common types of data stolen amid pretexting incidents include employees’ contact details and National Insurance numbers, company bank records and workplace security information.
- Tailgating—Through this tactic, cyber-criminals physically sneak into workplaces by following closely behind employees or other credentialed individuals (e.g., cleaners or building maintenance workers) without their knowledge. In other words, after these authorised individuals leverage their key fobs or identification badges to pass through locked doors or security checkpoints, the cyber-criminals will also slide inside before the locks can re-engage. From there, the cyber-criminals may leverage their on-site access to steal essential company records, infect important technology with viruses or malware and compromise security systems to allow continued workplace infiltration.
- Scareware—This method entails cyber-criminals utilising various scare tactics to frighten and manipulate targets into paying ransoms, often through seemingly legitimate prompts (e.g., fraudulent virus infection alerts urging targets to purchase security software for their devices or deceptive messages claiming to be from law enforcement that accuse targets of committing crimes and demand payment for any associated fines). Scareware may either initially contain malware or eventually coerce targets into downloading malware.
Tips to Mitigate Social Engineering Attacks
Businesses can consider these steps to help prevent and respond to social engineering attacks:
- 1. Provide training. Businesses should educate employees on social engineering and how it could affect them. Additionally, employees should be required to participate in routine cyber-security training on social engineering attack detection and prevention. This training should instruct employees to do the following:
✓ Maintain a healthy sense of scepticism across communication channels by watching for social engineering tactics in emails, texts and calls (e.g., lack of personalisation, generic phrasing and urgent requests).
✓ Refrain from interacting with emails, texts or calls from unknown or suspicious senders.
✓ Avoid clicking links or downloading applications provided within emails or texts.
✓ Never share sensitive information online, via text or over the phone.
✓ Utilise trusted contact methods (e.g., calling a company’s official phone number) to verify the validity of any suspicious requests.
✓ Report any suspicious emails, texts or calls to the appropriate parties, such as a supervisor or the IT department.
- 2. Implement access controls. By allowing employees access to only the information they need to complete their job duties, businesses can reduce the risk of cyber-criminals compromising excess data or securing unsolicited funds amid social engineering incidents. To further protect their information, businesses should consider leveraging encryption services and establishing secure locations for backing up critical data.
- 3. Utilise proper security software. Businesses should make sure all workplace technology is equipped with adequate security software. In some cases, this software can halt cyber-criminals in their tracks, stopping fraudulent messages from reaching recipients’ devices and rendering harmful links or malicious applications ineffective. In particular, workplace technology should possess antivirus programs, spam detection systems, email filters, firewalls, message-blocking tools and multifactor authentication capabilities. This security software should be updated as needed through patch management systems to ensure its effectiveness.
- 4. Ensure safe financial transactions. Having secure financial procedures can help limit the risk of any money being lost during social engineering attacks. As such, businesses should instruct employees who handle financial operations to carefully analyse fund transfer requests and similar payment demands to ensure their validity. When possible, these requests should be discussed in person before moving forward, especially if they involve alternative payment procedures or changes in banking details. Businesses may also want to consider utilising several verification methods and implementing the “two-person rule” to confirm payment requests, in which two authorised individuals must review and approve transactions before they can go through.
- 5. Adopt a cyber-incident response plan. In the event that a social engineering attack is suspected or detected, it’s essential for businesses to have dedicated cyber-incident response plans in place that outline steps to ensure timely remediation and keep damages to a minimum. These response plans should address a variety of possible attack scenarios and be communicated to all applicable parties. The National Cyber Security Centre (NCSC) has resources available to help businesses create such plans.
- 6. Conduct tabletop exercises and penetration testing. It’s not enough for businesses to simply create cyber-incident response plans. Rather, they should routinely assess these plans for ongoing security gaps and make changes as needed to ensure maximum protection amid social engineering attacks. Common assessment techniques include the following:
✓ Penetration testing—Such testing consists of an IT professional mimicking the actions of a cyber-criminal to determine whether an organisation’s workplace technology possesses any vulnerabilities and is able to withstand attack efforts. This testing usually targets a specific type of workplace technology and may leverage various attack vectors.
✓ Tabletop exercises—A tabletop exercise is an activity that allows an organisation to simulate a realistic cyber-attack scenario (e.g., a phishing simulation) for the purpose of testing its incident response plan’s efficiency. In other words, this exercise serves as a cyber-attack drill, giving participants the opportunity to practise responding to an attack.
- 7. Consult trusted experts and professionals. Businesses don’t have to navigate and address their social engineering exposures alone. Instead, they can seek assistance and supplement their existing resources with guidance from a wide range of trusted external parties, including insurance professionals, legal professionals, cyber-security organisations, and government and law enforcement agencies (e.g., NCSC and Action Fraud).
- 8. Purchase sufficient cover. It’s critical for businesses to purchase adequate insurance to secure ample financial protection against potential losses that may arise from social engineering attacks. Businesses should consult trusted insurance professionals to discuss their specific cover needs.
Social engineering is a common and widespread cyber-threat that has the potential to wreak havoc on businesses across industry lines. Fortunately, organisations that ensure a solid understanding of key social engineering methods and leverage proper prevention and response measures can help minimise these incidents and their related losses.
- This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2015, 2023 Zywave, Inc. All rights reserved.
Information provided by Zywave and contributed by Lisa Langley Cert CII, Team Leader, Professional Risks, Cox Mahon Ltd.