March 13, 2015 By Christopher Burgess 3 min read

When we think of social engineering, our mind’s eye takes us to the vision of the flimflam man or snake oil salesman talking fast and smooth. The con artist’s sole goal is to separate you from your money. If you are lucky, it is for a product of some dubious quality. In the context of information or data protection, the goal is very similar: The individual on the other end of the engagement is attempting to convince you to engage in a specific action.

These unscrupulous individuals may be behind phishing emails, pretext calling and emergency queries, all of which are designed to appear normal and intend for you to take action, such as clicking a link, answering a question or providing access. Technology is just one part of the equation, and your employees can unravel technology with an answer, a click or an action. The following are three reasons why social engineering remains a threat to all companies:

1. We Are Helpful by Nature

One of the most successful social engineering techniques is the request for help, whether it’s on the phone or in person. The individual engaging your employee may be posing as an employee, customer, vendor or member of the media. They are projecting a need for assistance, always with a bit of urgency thrown in, and never with the deleterious effect your employee’s assistance may have on the company.

For instance, someone could simply pose as a senior vice president, call the company switchboard or a random employee and spin the following tale of woe:

“My laptop crashed, and I am operating off my tablet, which isn’t configured for the corporate VPN. So, I can’t get to my corporate email, but I need to reach out to my team. Would you be so kind as to forward the employee director to my personal email? I need to reach out to them now, as my meeting with the client is in one hour.”

Would your employees deflect? Have you prepared them for the false escalation that accompanies a denial, such as demands for their name or their supervisor’s name and their contact information to ensure the employee is punished?

Similarly, imagine a man has shown up at the side door of one of your company buildings. He is wearing company logo wear and, to the casual observer, appears to be an employee heading into the office via the side entrance. He is wearing an ID that is either real or looks real. What he doesn’t have is the building’s PIN codes or an ID with a valid near-field communication capability to get through the card swipe. He adjusts his pace or otherwise loiters so he may enter behind an employee with legitimate access. Once inside, he wanders around and collects laptops, smart cards, hard drives and papers.

How would your employees address someone following them through the door? Would they hold the door open and demand that they swipe their badge or enter their PIN code, or would they hold the door and go about their business?

2. We Are Curious Beings

We have all been encouraged to be curious since even before we exited diapers. We are supposed to ask questions, try exotic foods, read new things and stay abreast of the news. The social engineering professionals attempting to set the technological hook into your company-issued devices and, by extension, the network are crafting their emails and social networking posts to entice your employees to click. They use news on natural disasters, epidemics, economic concerns, elections, holidays or the absurd, all designed to pique your employees’ curiosity so they will take action. How would you implement a no-click policy?

3. We Are Efficient Multitaskers

Who among your staff isn’t efficient at multitasking? In this always-on world of virtual meetings and engagement, your employees may be talking on the phone and scanning their inbox at the same time. Social engineering adversaries are counting on this when they begin to conduct surveillance prior to mounting an attack. Multiple innocuous queries can be made across the enterprise via pretext calls about bring-your-own-device policies or accessing social networks via company networks. In every instance, the information gleaned allows for the creation of a package that appears to be normal and within policy to the recipient.

What Should You Do to Combat Social Engineering?

If you are using a data loss prevention system, you already know you have to invest both time and energy to implement a data classification regime, which assists in tuning out the noise or false positives. Similarly, you must ensure the adherence to the philosophy of least-privileged access (i.e., need to know). It is also important to include a robust security information and event management process to ensure knowledge of attempts to access information and successful out-of-pattern access to information. These foundational elements need to be coupled with a comprehensive security awareness program that is provided continuously. You can’t stop adversaries from targeting your company or employees, but you can be prepared for their arrival.

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today