Social engineering prevention

20.05.2020

Back to blog list

Focus on the Real Issue

No matter how many thousands of dollars companies spend on firewalls to ensure that their systems cannot be penetrated from the outside, many businesses fail to sufficiently address the most critical issue of all. When cyber criminals target organizations, their target normally is people themselves, because they can be manipulated. 70 to 90 percent of data breaches occur as a result of social engineering. Social engineering is the practice of impersonation by cyber criminals to get employees, users, or customers to do things that they wouldn’t otherwise do and is not in their best interest. If a social engineering attempt is successful, all the money a company spends on firewalls could be in vain. 

Is Phishing a Social Engineering Attack?

Social engineering phishing is an attempt to defraud employees or users when the criminal poses as a person above him in the company or a well respected organization enjoying a high level authority and requests him to enter his login credentials or provide secret information about the company. Phishing e-mails are not the only thing to look out for. Individuals who are 35 years of age and up tend to prefer e-mail for their communication, but those who are below that age tend to prefer using their smartphones more. Scammers have adapted to this and now phishing scams come to people’s smartphones as well. Employees may be duped by a text message or e-mail claiming that they’ve won a gift card from iTunes or an impersonation of Microsoft billing staff claiming that they will experience a service interruption if they don’t send a payment for Microsoft office for the next year. 

Other Social Engineering Scams

Another step up from ordinary phishing is spear phishing. Is spear phishing a social engineering attack? You guessed it. This type of attack targets a particular individual. In this case, the attacker knows who the person is and pretends to be a particular person that person knows. He may commonly ask for his bank information or his username and password. This is how a number of celebrities have had their personal photos stolen, such as Jennifer Lawrence. Similar scams include pretexting social engineering, in which the attacker provides a clever, well thought out scenario in order to steal a person’s information. They may also pretend to be FAFSA writing to a student in order to confirm documents relative to his financial aid application process. Another one is tailgating social engineering. In the event of tailgating a person may follow an employee onto a company’s premises, posing for instance as a delivery man and asking for the employee to hold the door of a room that is authorized only for high up personnel. If he succeeds in getting into the sensitive area, he may download sensitive information onto a flash drive.

How to Prevent Phishing and Social Engineering

Just like other risks that companies have to face, one of the first decisions a company should consider is purchasing cyber insurance social engineering coverage. Because these scams are done with the employees’ consent, companies need to specifically buy an endorsement to their fidelity policy that covers these specifically, which may be subject to a sublimit. The best way to ensure employees spot a phishing e-mail is to train them not to click on malicious links, especially which do not lead to the specific domain of the company.

Many spam filters prevent these from actually reaching the inbox. The more a company stays up to date on the latest scam trends, the easier phishing detection will be.


Email Risk assessment Human factor