How to Protect Your Organization from Social Engineering Attacks?

Social engineering, in a fairly general definition, is a set of techniques used to achieve specific goals through manipulation.

One of the most famous computer hackers, Kevin Mitnick, in his book “The Art of Deception” described techniques for gaining access to secret information using various, even the simplest, means of communication. The author proved that the weakest point of security systems is always the human. Security systems costing many millions of dollars can be defeated using data obtained through knowledge of human psychology, from naive or unaware employees.

Social engineering is one of the most popular and extremely dangerous methods used by cybercriminals because this type of attack is difficult to detect before damage occurs. Most often, those attacked remain completely unaware that they were induced to take specific action through manipulation.

The question arises: why do criminals in most cases have no problems obtaining information?

Here we must refer to psychology. Humans receive most external stimuli automatically and rarely analyze the reasons for specific actions. Therefore, a skillfully applied external stimulus will lead to obtaining specific behavior.

Attackers use social influence techniques known as Robert Cialdini’s six rules:

• Rule of reciprocity – “If you did something good for me, I will also do something good for you” – a person feels obligated to reciprocate if they receive something for free from someone.

• Rule of social proof – “If other people behave in a certain way, it means that this way is correct and I will also behave the same way” – if a certain action is commonly considered right, it is easier to convince a specific person of it.

• Rule of liking – “If I like you, I will more willingly fulfill your request” – a person is more willing to fulfill requests from someone they like; we trust likeable people more.

• Rule of authority – “If I consider you an authority, I will more willingly fulfill your request” – a person is more willing to fulfill requests from people who have authority in their eyes, e.g., due to position or knowledge.

• Rule of scarcity – “If something is rare or hard to obtain, it is probably good” – greater value is assigned to things that are difficult to access or unique.

• Rule of commitment and consistency – “If I engaged in something, I will continue this action because I want to be perceived as a consistent person” – a person maintains an opinion on a specific matter only because they expressed their opinion in the past, even if they are wrong.

Social engineering activities are most often directed against:

• Employees unaware of threats – the ease of obtaining needed information is decisive,

• Those with special permissions – there is a possibility of gaining access to important data,

• Those working in key departments – there is a possibility of gaining access to the most important systems.

Remember that every attack is preceded by careful examination of the organization’s structure, employees’ scope of competencies, list of cooperating companies, and other publicly available information needed to establish the attack vector. The attacker recognizes the target, then (using the above-mentioned principles) gains sympathy and trust of a specific person, then induces them to take specific action, which is most often obtaining specific information. Activities of this type can affect many people in the company, and the acquired partial knowledge can be used to carry out a massive attack.

Typical examples include: impersonating an employee of the same enterprise, impersonating a person with authority, impersonating a new employee who needs help, or impersonating a representative of a company with which ongoing cooperation is being conducted.

Large companies with many branches or those where the internal communication system is insufficient and people don’t know each other are most exposed to this type of attack. This makes it easier to impersonate an employee of another department.

The biggest risk factor affecting all companies is low threat awareness. Often organizations themselves publish confidential data on the internet, inadequately supervise security systems, conduct control audits too rarely, and don’t properly classify information.

It is also worth remembering that social engineering attacks are not just phone contacts. Often criminals appear in person, posing as service company employees or sales representatives. They use virtually all available technologies: email, SMS, messages on social media portals or internet chats.

The most effective protection against social engineering influence is building employee awareness of potential threats and precisely defining the scope of information that should not leave the company.

How to Protect Yourself?

First of all, care should be taken for the awareness of employees at all levels through periodic training covering theoretical material and practical skills. Richer in knowledge about psychological processes and criminal action schemes, employees will be better able to recognize an attack. It is worth remembering that simply instilling security principles may not be sufficient. Employees should know the reasons for introducing specific rules of conduct, gain knowledge about the benefits of following guidelines and the consequences of breaking the rules.

Equally important is the introduction of an information security management system that clearly defines methods of information classification, responsibilities for individual system elements, and rules related to IT security (regulating, among others, the use of system passwords of appropriate complexity, the need for regular password changes, and storage methods). Documentation should take into account the risk of losing confidential information and describe potential losses (financial, moral, competitive advantage) resulting from data “leakage” of this type.

An important element of security policy is regular IT security audits. As a result, we obtain full knowledge that will allow verification of the effectiveness of applied procedures, check the company’s resistance to social engineering attacks, allow detection of problems, and above all enable the introduction of effective corrective actions.

Basic Precautions:

• The rules for navigating the computerized world seem obvious, but we often forget about them:

• Access passwords – we should never share them with third parties. Remember that data administrators in all organizations have their own permissions and will never ask for an individual password! Different passwords should be used for each service, resistant to cracking (high degree of alphanumeric character complexity).

• Sharing information – the less data about ourselves and our organization we share, the harder it is for an attacker to manipulate. Every, even seemingly insignificant detail, combined with other information can create a complete picture. This applies to all social media portals, public forums, chats, mailing lists.

• Verification – before opening attached files or clicking on a link, you must check the SMS sender or the email sender’s domain. If you have any doubts about the source, delete the message without viewing its contents. In case of a phone call requesting data sharing, first ask for contact details of the calling person, then confirm the company’s phone number in a trusted place and call back. Only then can you be sure you are really talking to the right person.

Related Terms

Learn key terms related to this article in our cybersecurity glossary:

• Network Security — Network security is a set of practices, technologies, and strategies aimed at…
• Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
• Phishing — Phishing is a type of social engineering attack that aims to deceive the victim…
• Spear Phishing — Spear phishing is an advanced form of phishing in which attackers target…
• Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…

Learn More

Explore related articles in our knowledge base:

• What Are Social Engineering Tests and How Do They Work? - Techniques, Benefits, Tools, and Legal Regulations
• CEO fraud (BEC): How to protect your company’s finances from the most expensive cyber attack?
• Deepfake and AI in the hands of cybercriminals: how to protect a company from a new generation of fraud?
• Social Engineering Attacks: Baiting, Pretexting, Tailgating and Other Manipulation Techniques
• Supply Chain Attacks - how to protect your organization from third-party compromises

Explore Our Services

📚 Read the complete guide: OT/ICS Security: Bezpieczeństwo systemów OT/ICS - różnice z IT, zagrożenia, praktyki

Need cybersecurity support? Check out:

• Social Engineering Tests - phishing and social engineering simulations
• Cybersecurity Training - employee security awareness