What Is Social Engineering and How Can You Defend Against It?

Defending Against Social Engineering Attacks

Why should you be worried about the large number of successful social engineering attacks taking place in the U.S.? In September 2019, the FBI announced that $26 billion was lost in Business Email Compromise/Email Account Compromise (BEC/EAC). That’s an astounding number! Given how simple some of these attacks are, it makes you wonder what makes social engineering attacks so successful.

What is social engineering?

Social engineering refers to a diverse spectrum of malicious activities that exploit human psychology to gain access to sensitive information. It is more an art than a science where attackers manipulate people and exploit the human tendency to trust to gather information. The information these attacks seek could be your passwords, bank information, credentials that control your computer/accounts, access to your network, or corporate intellectual property.

For example, an attacker impersonating a CEO might send an email requesting someone in the accounts payable department to pay a vendor invoice. Or, maybe an attacker fakes his identity as an employee of a company and asks HR to change his direct deposit information. Or, perhaps the hacker sends an email claiming that your account has been compromised, and requesting you to change the password using a link in the email. These are all examples of credential phishing attacks.

The human factor and our tendency to trust

The success of social engineering attacks can be attributed to the fact that they manipulate our human weakness to trust. Timothy R. Levine, a distinguished professor and chair of the department of communication studies at the University of Alabama–Birmingham, explains this human tendency in his book Duped: Truth-Default Theory and the Social Science of Lying and Deception. The truth-default theory, using decades of empirical research, explains how humans have a near-universal mindset to accept the content of incoming communications as accurate. The thought that maybe we shouldn’t trust the communication doesn’t even come to mind. While this helps us to function socially, it makes us vulnerable to deceit.

Malcolm Gladwell takes this concept a step further in his book, Talking to Strangers, where he explains that defaulting to truth does not mean we don’t have doubts. We trust someone not because we have no doubts, and belief is not the absence of doubt. On the contrary, we trust because we don’t have enough doubts to shake us from our truth-default position.

Going back to the CEO impersonation example above, let’s take a closer look at the same email and apply the truth default theory.

From: John.Doe1@gmail.com

To: Harry.Evans@xyz.com

Hi Harry,

I need an urgent favor from you. I am on the road and don’t have access to work email. I got a call from ABC corp regarding the recent invoice. It looks like they are making changes to their processes and request that we do a wire transfer this time around. Let me know if we can do this. I will get back with more information.

Regards,

John Doe

 

What will Harry’s mindset be when he reads this email? He might have been surprised that his CEO sent this email from his Gmail account and not his corporate account. Maybe there is some doubt. However, John does explain that he is on the road and cannot access work email, and the Gmail address does have John’s first and last name. If Harry had doubts regarding the wire transfer, John again explains why the vendor made this one-time request. There is a sense of urgency in the tone, and all John is asking Harry is to respond and say whether he can help him. Why should Harry be concerned? An average person in this situation will default to trust. Once initial trust is established by replying to this email, it makes the attacker’s job even easier to provide bank details and execute the fraudulent wire transfer.

How to protect your business from social engineering attacks?

While training your employees and generating more awareness will help, this is not a failsafe option. According to a McKinsey analysis, 28 percent of the workweek is spent reading and answering emails.  This translates to 2.6 hours spent and 120 emails received on a daily basis for an average American worker. This large amount of email activity is a significant amount of information to process, and the human brain might not be vigilant all the time to spot malicious intent in emails.

A more automated multi-layered technical solution will be required to analyze incoming emails and detect social engineering attacks. The solution should be sophisticated enough to profile and predict such attacks and proactively stop such suspicious emails from reaching your employees.

 

Are you concerned about social engineering attacks? Do you fear your employees could receive such emails? Contact SilverSky to learn about our social engineering protection solutions.

Previous

Next

Managed Detection and Response

Comprehensive solutions to detect, prioritize, and address security incidents.

Managed Security Services

24 X 7 X 365 monitoring, management, and system maintenance.

OPTIONS:

Managed Endpoint Detection and Response

Protects against all threat vectors.

Email Protection Suite

Monitor and manage your email environment with advanced email security and compliance protections.

Cloud Email and Collaboration

Cloud office productivity enhanced with proven security and compliance protection.

How does SilverSky's integrated stack of solutions meet your needs?

Compliance and Risk Services

Assess your program and controls, benchmark and identify areas for improvement. Develop your security roadmap for investment and improvements. Effectively measure ROI and impact on your security posture

Incident Response Readiness

Incident Response Plan Development / Review. Incident Response Readiness Review. Emergency Incident Response.

Discuss your compliance, risk management and incident response readiness needs.

Schedule Free 1-on-1 Consultation

Financial Services

1,500+ small & mid-sized financial institutions rely on SilverSky to meet and exceed FFEIC, GLBA and PCI DSS requirements and overall cybersecurity needs.

Healthcare

Hundreds of small & mid-sized healthcare organizations rely on SilverSky to address HIPAA and other regulatory requirements and serve overall cybersecurity needs.

Retail

Small and mid-sized retail organizations count on SilverSky to maintain PCI DSS requirements, secure customer data and reduce cybersecurity threats.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Resources

White papers, guides, tools, on-demand webinars, case studies and more. Explore a range of topics. 

Events & Webinars

Blog

Product Sheets

SilverSky product and services information at your fingertips. Product data sheets, compliance matrixes, & brochures.

How Exposed Are You?

Take the test to see how your security program compares with other businesses like yours.

Become A Partner

Partner with SilverSky to tap into the approaching $300 billion+ cybersecurity market.

Talk to one of our partner managers and consider expanding your cybersecurity offerings.

Schedule Partner Exploration Discussion

Share This