How to help
prevent different
types of social
engineering attacks

Scam artists and criminals have been engaging in “social engineering” attacks long before the advent of computers and the Internet. From face-to-face deception and postal fraud to targeted telephone scams and e-mail phishing, socially engineered attacks have proven effective for centuries. Today, they’re a fact of life on the internet.

The Verizon 2020 Data Breach Investigations Report (DBIR) reports that social engineering was involved in nearly 33% of data breaches in North America, and it accounted for 29% of incidents in the Asia-Pacific region. Learning how to help prevent social engineering attacks starts with understanding what they are.  

Social engineering is deception, manipulation or intimidation of a person to gain illicit access to information assets. It is difficult to prevent because it exploits human psychology to bypass security protections. Often, criminals and scam artists target a specific person and use publicly available information about that person to trick them into sharing sensitive, private information.

Even the most security-minded individuals may be deceived under the right circumstances. Threat actors exploit employees who are distracted or busy, target employees on vacation or choose specific times when an industry is busy. They use intimidation, fear and greed, and they even exploit the impulses of good people who try to be helpful.

The 2020 DBIR reported that social engineering is involved in 22% of the data breaches studied worldwide. The top social engineering attack methods were email (96%) and websites (3%). However, phone calls, text messages and social media are also common types of social engineering attack methods. The main compromise target for social engineering was credentials. However, threat actors also target personal data, internal business data, medical data and bank data.  

Verizon tracks a variety of social engineering attacks each year. The two most prevalent types of social engineering attacks are phishing and pretexting.

Phishing attackers impersonate a legitimate user or institution and use fear, urgency or curiosity to deceive their targets. The attackers aim to get users to click on a malicious link, open a malware-laden attachment, or reveal login credentials.

A more sophisticated version of the technique is “spear-phishing.” Spear-phishing attackers research their target beforehand and tailor their approach to improve chances of success. When spear-phishing is aimed at executives or senior management, it’s called “whaling”, and it usually aims to steal sensitive company information.

Phishing attacks are prevalent. They topped the list of threat action types for data breaches in both Verizon’s 2019 and 2020 DBIRs, at more than 20% of breaches in each report.

Furthermore, phishing attacks are a particular concern during heightened emotions of crisis events like the COVID-19 pandemic. A March 2020 COVID-themed phishing simulation that Verizon analyzed saw a threefold increase over pre-COVID levels of users falling for phishing scams. The users not only clicked on phishing links but also provided login credentials to the simulated phishing webpage.

Pretexting is another common type of social engineering attack. It involves an actual dialogue between the attacker and the victim, and often begins with a phishing attempt. Pretexting attackers attempt to build trust with their victims. The attacker usually pretends to be someone in a position of authority who has the right to access the sought-after information or who can help the victim. Attackers use this method to trick individuals into revealing information that can be used in a later attack.

Although a social engineering attack is difficult to prevent, you can take steps to mitigate the threat. Here are our recommendations.

• Implement social engineering training on at least an annual basis. Make it part of your security training for all authorized users from the board on down. Conduct simulated phishing attacks.
• Use posters, login banners and regular emails to promote awareness of the danger of social engineering. Real-life scenarios are the most helpful way to illustrate the threat.
• Use multi-factor authentication, especially for webmail access and financial transactions.
• Enhance sensitive business processes—e.g. request that any money transfer be signed-off by two staff members.
• Use strong passwords and change them frequently.
• Use email gateway security that can spot suspicious sender domains and malicious links. Focus on options that use AI tools to detect inauthentic behavior.
• Remove local administrative rights.
• Deploy group policy objects (GPOs) to block executable files, and disable macros and other risky attachments.
• Patch and update operating systems and software as early and often as possible to minimize impact of malware.
• Ensure that even company-issued mobile devices have antivirus software in case employees open malicious phishing messages.
• Test and validate back-up processes, and maintain offline back-ups.
• Regularly test your corporate incident response (IR) plan and security posture with real-life scenarios to see how your organization would stand up against social attacks.

If your organization does become a victim of a social engineering attack, it’s important to handle the incident correctly. Here are some of the response and investigation measures that should be taken.

• Review the IR plan, making sure it covers mitigation and response to social attacks.
• Get the IR team to train with the IR plan to help it react to and neutralize threats effectively.
• Maintain a sufficient amount of email and network logs.
• Develop key third-party relationships prior to an attack. Useful third-parties include law enforcement, forensic firms, outside counsel, external public relations firms and cyber insurance carriers.
• Follow forensically sound methods during an investigation.
• Collect evidence by order of volatility—volatile data, memory dumps, then forensic disk images.
• Engage law enforcement when necessary.
• Know your IR team’s skill limitations and do not attempt to exceed your abilities. Call a third-party forensic firm for help when necessary.

Learn how the Verizon Threat Research Advisory Center can help your organization stay up to date on the latest trends in social engineering attacks, how to help prevent social engineering attacks and how to respond when an attack does occur.