As Social Engineering Attacks Skyrocket, Evaluate Your Security Education Plan

Build a playbook for employees on how to handle suspicious communications, use mail filters, and screen and verify unfamiliar calls to bolster a defensive social engineering security strategy.

Patrick Sayler, Director of Social Engineering, NetSPI

February 27, 2023

5 Min Read
A person typing their username and password into their computer as someone points to the screen
Source: NicoElNino via Alamy Stock Photo

Social engineering-based attacks are a popular form of security manipulation, with cybercriminals using this technique for 98% of attacks in 2022.

Social engineering can take many forms, including vishing (phone), phishing (email), and smishing (text). All have proven effective in infiltrating corporate networks. Social engineering attacks are so effective they're even outsmarting some of the best cybersecurity experts. Just last month, threat actors targeted security enthusiasts by creating fake Twitter accounts and stores for the Flipper Zero, a penetration testing tool rising in popularity. One Twitter account even responded to users — making it appear legitimate.

One social engineering tactic that's continued to hamper organizations over time is vishing, a phone-based attack that remains a successful, lucrative avenue for cybercriminals. This method is typically used to gain a foothold in an environment through a less-senior or new employee, often by the attacker posing as a help desk representative or another helpful internal resource.

Defensive Security Options

While many organizations understand the rise in social engineering attacks and the importance of education and awareness to prevent them, recent trends indicate a need for a more strategic approach. To kickstart a new defensive security plan designed specifically for social engineering attacks, give these practices a try.

  • Educate from the top down. Too often, we see organizations focused on educating newer employees. To have a real effect, organizations' security training programs must start at the top and trickle down to the bottom.

This means including the C-suite, regardless of their tenure, in regular education training and curriculum. It's not on one individual to stop social engineering attacks from happening. Rather, it requires leadership to recognize there's an ongoing challenge and put precautions in place to remediate the issue. With senior leaders regularly making security a priority across the entire business, this will help all employees adopt a security-first mindset over time.

  • Establish a playbook for employees to use when faced with a malicious form of communication. Whether an employee receives a malicious text, call, or email, they should be equipped with an actionable list of steps to navigate and evade the situation. Arguably the most important part of a social engineering defensive security plan is the playbook.

Set up a central location where employees can access dedicated policies outlining what they should and shouldn't be doing when receiving suspicious communications. Include instructions on how to escalate a problem if malicious correspondence occurs. For example, if a malicious message comes through over the phone, the playbook will instruct the employee not to give away any information until they can confirm that person is a legitimate employee or contractor via email or Slack — reducing the likelihood of personal and company information being leaked.

Without a framework like this in place, it feels like passing the buck to others and hoping they'll figure it out — and it opens the doors for cybercriminals, who will inevitably take advantage of this weakness.

  • Invest in email security technologies but don't solely rely on them. A recent study found that 36% of all emails globally are spam. Implementing, configuring, and stress testing mail filters can be a great first barrier to incoming social-engineering attacks, as they can oftentimes prevent a malicious email from entering an employee's inbox. However, they cannot be the sole defense mechanism and certainly aren't infallible. Mail filters need to be a part of a more holistic, comprehensive security strategy — not the only line of defense.

I'll share a real-life example of a mail filter used as a threat vector. I recently disclosed a vulnerability within Mimecast, a popular cloud-based email protection software for businesses. During a hybrid breach-and-attack simulation and social engineering penetration test, I discovered a way to bypass the URL and file-inspection features within Mimecast Targeted Threat Protection (TTP). If left undiscovered, the flaw could have allowed an adversary to serve a malicious file or URL after the software had already deemed it secure. This is a great reminder of the vital importance of defense in depth. If or when frontline technical controls fail, organizations must have a backup to slow adversaries and prevent incident escalation.

  • Screen everything. Screen all incoming calls! That is the No. 1 rule for in-office and out-of-office settings. If you suspect a phone call is malicious or the number is unrecognizable, screen it. After receiving one of these calls, see if they leave a voicemail and look up the number afterward within the corporate directory to see if it ties back to a colleague or vendor. Even if the caller ID is spoofed, the attacker won't be able to receive calls at the impersonated number.

In these situations, it's easy for an employee to fall into panic mode and be forthcoming with personal or company information. With the right company policies, framework, and plan in place, employees will feel more comfortable taking a step back, thinking through the communication, and regaining control of the situation.

Test Your Framework

While incorporating all of the above will lead to a stronger defense against popular social engineering-based attacks, a final and important step is to test how successful a framework is. This could require having a pen tester come into an organization and perform common social engineering attack methods to see how employees respond. Being able to quantify and see employees using the framework in action will prove how successful the training program is — and reveal ways for evolution and improvement.

All it takes is one employee to give away sensitive information for an entire organization to fall victim to a cyberattack. By proactively tracking the results of training programs and understanding why social engineering attacks happen, businesses will set themselves and their employees up for success.

About the Author(s)

Patrick Sayler

Director of Social Engineering, NetSPI

Patrick Sayler is a Director based out of the Portland, OR, office. He has over 12 years of experience in the information security industry, with 10 years dedicated to penetration testing. During this time, Patrick has had the opportunity to perform security assessments for clients across various industries, including aerospace, financial services, manufacturing, healthcare, retail, and biotechnology. He joined NetSPI in 2016, where he leads the Social Engineering practice. Patrick has presented his research and efforts toward social engineering at Wild West Hackin' Fest and BSides Portland. He took a detour to THOTCON 2021 to discuss attacking arcade games.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights