TL;DR

This blog post discusses the ongoing relevance of social engineering attacks and provides eight measures for preventing them. These measures include focusing on training and awareness, applying multifactor authentication, having adequate email security, using an updated antivirus, paying attention to updates and patching, promoting security culture, transparency as a measure to prevent new attacks, and making sure relevant policies and procedures are being followed.

What is social engineering

Social engineering is the art of using manipulation and psychological persuasion to make people compromise information systems. Examples of common social engineering attacks are phishing, spoofing and Business Email Compromise (BEC) attacks. These attacks use less technical methods than “traditional hackers” to accomplish their goals. Trust, fear and temptation are commonly used tools attackers use to gain access to systems, confidential information, user accounts, or to perform other malicious acts.

Even though social engineering attacks are not new, attackers are constantly changing the methods they use and we see that attacks are getting more sophisticated. The number of attempted frauds using social manipulation is constantly increasing, and this type of fraud appears to be the most profitable method for criminals, according to The Norwegian Financial Supervisory Authority (Finanstilsynet).

Examples of social engineering on the world-stage

Social engineering attacks are used by both private actors and actors associated with nation states, and have been prominent during the war between Russia and Ukraine. Since the 2014 Russian invasion and annexation of the Crimean Peninsula, cyberattacks against Ukraine appear to be a part of a hybrid warfare conducted by Russia, where social engineering attacks is one of the attack vectors being utilised.

There have been multiple phishing campaigns performed by Russian actors, for instance by the Russia-linked APT SEABORGIUM, who likely supports traditional espionage objectives. Their primary targets are NATO countries, and Microsoft reports that since the beginning of 2022, SEABORGIUM has targeted over 30 organisations. SEABORGIUM’s phishing campaigns are often targeted and they use areas of interest to deceive employees, establish contact with them, and gain their trust in order to infiltrate the organisation. Furthermore, there have been examples of phishing campaigns from other Russian threat actors that disguises as a manager in the targeted organisation and sends out malicious content disguised as a security awareness program.

The examples above are just a few of the many ways to encounter social engineering. These attacks are used by various types of threat actors and can take many forms. The following sections outline countermeasures that based on our experience should be taken to prevent and mitigate the impact of social engineering attacks.

Countermeasures

Training and awareness. As attackers develop new methods and scams to trick users, it is important to stay updated and receive regular reminders of how to prevent such attacks. Security training and awareness should be performed on a regular basis to remind employees on best practices as well as the new methods and tools attacker may use.

Multifactor authentication (MFA) is an important measure to protect against social engineering attacks and it should not be forgotten. If an attacker manages to steal log in credentials like username and password, the attacker will not gain access without the MFA. Using MFA on all systems is therefore a good preventative measure.

Updated antivirus can prevent malicious scripts to execute. If someone has fallen for a phishing attack by clicking on a link or downloading a harmful attachment, antivirus can prevent further damage and prevent malicious code to run on the laptop.

Adequate email security is essential when preventing social engineering attacks, as such attacks often happen over email. Sender Policy Framework (SPF) can prevent domain spoofing, as SPF can specify who can send emails from a domain, preventing attackers to send phishing emails from your business domain. DomainKeys Identified Mail (DKIM) ensures the integrity of the content in emails, ensuring that the content has not been tampered with. Domain-based Message Authentication (DMARC) is an email authentication protocol which extends SPF and DKIM. The purpose of DMARC is to protect from spam, spoofing, phishing and BEC attacks. It allows organisations to publish email authentication practices and specific actions that receiving mail servers should take if authentication fails.

Updating and patching clients, software, firmware and browsers are also important to prevent the damage that social engineering attacks can do. Staying up to date will remove known vulnerabilities and close security gaps which can be exploited by attackers.

Culture. Having a culture that promotes security and views it as something positive, can impact employees’ perspective and sharpen focus on security and awareness training. By emphasising that information security is important, valued and essential for the organisation’s success, employees will be more inclined to focus on the training and awareness programs, instead of viewing it as a mandatory task that does not require much focus and attention. A culture that focuses on not shaming the individual that clicked on a phishing link, can contribute to employees telling the IT department about falling for the scam immediately, because they are not afraid of being shamed, thus increasing transparency. By waiting a long time to talk about such mistakes attackers will gain more time to achieve their goals.

Transparency about falling for or stopping a social engineering attack is useful to prevent similar attacks in the future. By sharing information, whether that is within the organisation or sharing with external parties, information sharing will provide others with facts about which methods attackers uses and make it easier to prevent similar attacks.

Policies and procedures can be effective tools to protect against social engineering attacks. For instance, if a third party wants to change the account number the finance department is transferring money to. To prevent a BEC attack to take advantage of this, a helpful procedure could be that you have to confirm new account numbers on a different channel if the total amount is of a certain value, for instance by double checking over the phone if the request first originated from an email.

Concluding remarks

Social engineering is a field in constant change, and threat actors find new ways to exploit systems and people. Even though social engineering attacks can cause great damage alone, they are also often a gateway for more technical and sophisticated attacks, and it is important that organisations and individuals take appropriate measures to protect themselves. The countermeasures outlined here provide comprehensive protection against social engineering attacks by addressing various aspects, including technical and organisational measures. While some, such as establishing a positive security culture, require more time and effort to implement, all steps outlined can aid in the protection against these types of attacks, thus making your organisation more secure.