Defending Against Social Engineering Attacks

Why should you be worried about the large number of successful social engineering attacks taking place in the U.S.? In September 2019, the FBI announced that $26 billion was lost in Business Email Compromise/Email Account Compromise (BEC/EAC). That’s an astounding number! Given how simple some of these attacks are, it makes you wonder what makes social engineering attacks so successful.

What is social engineering?

Social engineering refers to a diverse spectrum of malicious activities that exploit human psychology to gain access to sensitive information. It is more an art than a science where attackers manipulate people and exploit the human tendency to trust to gather information. The information these attacks seek could be your passwords, bank information, credentials that control your computer/accounts, access to your network, or corporate intellectual property.

For example, an attacker impersonating a CEO might send an email requesting someone in the accounts payable department to pay a vendor invoice. Or, maybe an attacker fakes his identity as an employee of a company and asks HR to change his direct deposit information. Or, perhaps the hacker sends an email claiming that your account has been compromised, and requesting you to change the password using a link in the email. These are all examples of credential phishing attacks.

The human factor and our tendency to trust

The success of social engineering attacks can be attributed to the fact that they manipulate our human weakness to trust. Timothy R. Levine, a distinguished professor and chair of the department of communication studies at the University of Alabama–Birmingham, explains this human tendency in his book Duped: Truth-Default Theory and the Social Science of Lying and Deception. The truth-default theory, using decades of empirical research, explains how humans have a near-universal mindset to accept the content of incoming communications as accurate. The thought that maybe we shouldn’t trust the communication doesn’t even come to mind. While this helps us to function socially, it makes us vulnerable to deceit.

Malcolm Gladwell takes this concept a step further in his book, Talking to Strangers, where he explains that defaulting to truth does not mean we don’t have doubts. We trust someone not because we have no doubts, and belief is not the absence of doubt. On the contrary, we trust because we don’t have enough doubts to shake us from our truth-default position.

Going back to the CEO impersonation example above, let’s take a closer look at the same email and apply the truth default theory.

From: John.Doe1@gmail.com

To: Harry.Evans@xyz.com

Hi Harry,

I need an urgent favor from you. I am on the road and don’t have access to work email. I got a call from ABC corp regarding the recent invoice. It looks like they are making changes to their processes and request that we do a wire transfer this time around. Let me know if we can do this. I will get back with more information.

Regards,

John Doe

 

What will Harry’s mindset be when he reads this email? He might have been surprised that his CEO sent this email from his Gmail account and not his corporate account. Maybe there is some doubt. However, John does explain that he is on the road and cannot access work email, and the Gmail address does have John’s first and last name. If Harry had doubts regarding the wire transfer, John again explains why the vendor made this one-time request. There is a sense of urgency in the tone, and all John is asking Harry is to respond and say whether he can help him. Why should Harry be concerned? An average person in this situation will default to trust. Once initial trust is established by replying to this email, it makes the attacker’s job even easier to provide bank details and execute the fraudulent wire transfer.

How to protect your business from social engineering attacks?

While training your employees and generating more awareness will help, this is not a failsafe option. According to a McKinsey analysis, 28 percent of the workweek is spent reading and answering emails.  This translates to 2.6 hours spent and 120 emails received on a daily basis for an average American worker. This large amount of email activity is a significant amount of information to process, and the human brain might not be vigilant all the time to spot malicious intent in emails.

A more automated multi-layered technical solution will be required to analyze incoming emails and detect social engineering attacks. The solution should be sophisticated enough to profile and predict such attacks and proactively stop such suspicious emails from reaching your employees.

 

Are you concerned about social engineering attacks? Do you fear your employees could receive such emails? Contact SilverSky to learn about our social engineering protection solutions.

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.

Healthcare

Affordable defenses for a sector under attack.

Retail

SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.

ACET

Automated Cybersecurity Examination Tool

HIPAA

Health Insurance Portability and Accountability Act

PCI DSS

Payment Card Industry Data Security Standard

FFIEC

Federal Financial Institutions Examination Council

GLBA

Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.

Resources

Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.

Careers

Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.