Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Social Engineering: How an Email Becomes a Cyber Threat

Social Engineering has been a staple of fraud since the dawn of time. There are even movies that glorify the fraudsters for their elaborate schemes. The Sting and American Hustle are great examples and there are many more. As the world has become more digital fraudsters have learned to leverage technology to massive scales.

Social Engineering has been a staple of fraud since the dawn of time. There are even movies that glorify the fraudsters for their elaborate schemes. The Sting and American Hustle are great examples and there are many more. As the world has become more digital fraudsters have learned to leverage technology to massive scales. When you add in social networking hackers now have a fertile environment to sow their mischief.

As data moves online, social engineering techniques, where cyber thieves perform reconnaissance, collecting personal information of company employees and then attempting to get those employees to take an action, have become far more personalized, technologically advanced and ultimately successful.

Enterprises and their employees should be aware of multiple social engineering techniques.

Baiting is one in which an attacker offers an incentive to draw in a target and can be effective in convincing a person to download malicious software onto his or her computer.

Pretexting is another in which an individual uses misrepresentation to gain access to privileged information. This technique has been increasingly successful as cyber thieves gain access to identifying information to personalize the attack.

• And, perhaps the most well-known type of social engineering is phishing, a technique in which an attacker attempts to obtain private information such as a social security number or authentication code. In phishing scams, a fraudulent email or other form of communication is often disguised as a legitimate engagement from a “trusted” source requesting information. Like with pretexting, phishing attempts tend to be most successful when the attempt is personalized.

Spear-phishing, a derivative of phishing, is targeted at a specific person or role in an organization. Hackers leverage freely available information to craft an email likely to appeal to the target.

There are two crucial, complimentary actions companies should take in order to decrease the likeliness of successful social engineering. These are incorporating technology solutions that tackle social engineering head on and implementing a robust training program for employees to better understand these techniques. These two actions reduce the frequency of occurrence (by identifying and blocking attacks) and the likelihood of success of an attack when one evades your defenses.

Advertisement. Scroll to continue reading.

How to Defend Against These Attacks

Today, one of the best ways to defend against social engineering is to beef up security through employee education. In combination with technology solutions, employee education can help build awareness to common social engineering techniques, such as phishing. According to the 2015 Data Breach Investigations Report by Verizon, nearly one in four employees will open a phishing email.

Rather than training employees based on theoretical ideas, companies should adopt a real-world training approach. Smart companies will incorporate security testing tailored to employee’s everyday business operations. These simulations ensure all products, applications and networks are sufficiently robust to cope with potential threats; allows them to see what an attack actually looks like; and how easily it can happen. Perhaps most importantly, it lets companies assess the security awareness of their staff, and the effectiveness of their security training.

Effective training can have a great impact on the effectiveness of phishing attacks. However, ultimately action is in the hands of the employees, which means there is never a 100% guarantee that a social engineering attack won’t be effective. To further mitigate these risks; however, companies should consider a risk assessment related to various forms of penetration including their email security solutions.

The benefits of a dedicated email security solution to bolster protection for this critical vulnerability point are extensive. In addition to combatting email-based malware attacks, an email security solution will allow firms to monitor for communications that could be indicative of phishing, baiting, pretexting and other known social engineering techniques.

When considering on premise based solutions versus cloud based solutions the most commonly cited pro-cloud factors are added cost efficiencies, real-time updates and greater flexibility businesses. However, a cloud based solution to email security can have a significant effect, far beyond the typical benefits the IT team has come to know. With this type of solution:

Protection not just detection can be achieved: Stopping attempts at social engineering at the point of entry, IT teams are offering actual prevention.

Isolation: Malware never enters a system: Reducing the frequency and likelihood of success of an attack is not a guarantee. By isolating the email system on a hosted network you can prevent social engineering attacks from ever hitting an end user’s machine and IT teams can ensure that links can’t be clicked and malware can’t be installed.

More real-time security programs can be advanced: Considering one of a handful of email security vendors that offers URL re-writing at the time of a click-through, businesses can minimize security risks.

Bad actors and hackers will continue to identify innovative ways to attack enterprises. Therefore, a two-pronged methodology that incorporates employee education and a dedicated email security solution is needed. This limits the number of potentially malicious emails that make it to employees and prepares them to handle those that get through.

While there is no way to guarantee thieves won’t gain access to a company’s network, these techniques can make it far more difficult for criminals to launch a successful social engineering attack.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.