How to prevent social engineering attacks

Top tips for prevention


How to prevent social engineering attacks

What is a social engineering attack?

Social engineering attacks encompass a variety of business threats that have evolved and become more insidious in recent years. The ‘social’ element simply refers to the action taken – that is, these malicious activities are conducted via human interaction.

The main tool at the attacker’s disposal is psychological manipulation. Rather than a pump-and-dump attack directly into a system, social engineering attacks instead ‘trick’ a human into revealing sensitive business information or making security errors, which opens the door for the attacker to deploy their payload.

The biggest problem with social engineering attacks isn’t their prevalence or even their potential to cause damage to organizations. Rather, it’s that they rely very heavily on both human error and fear to be executed. This means the victim – whether it’s an individual employee or the entire company as a whole – must be at some level complicit (even unconsciously) for the attacks to be successful.

And because business leaders must not only worry about the threat of external social engineering threats, but also how their staff will react in adverse situations, the key to overcoming them is two-fold: adoption of secure technologies, and education.

The various forms of attack

The various forms of attack

It’s important to recognise that social engineering attacks are based on a ‘phased approach’ – that is, there are usually multiple steps from the first point of contact to the actual attack. The perpetrator will gather information on their target, unravel any weak security points or obvious entryways, then reach out to the victim and gain their trust before guiding them towards a particular action that leaves the business vulnerable to attack.

This social engineering life cycle of Investigation (identifying the victim), Hook (engaging and deceiving the target), Play (getting the necessary information and deploying the attack) and Exit (cutting contact without arousing suspicion or leaving any tracks) is something all business leaders should be aware of to spot a potential attack before it threatens the organization’s security.

Moreover, anyone with even low-level access to sensitive business materials should know some of the most common social engineering attacks:

  • Phishing: A common threat. Phishing can be done through email, SMS, social media and instant-messaging apps. The goal is to send malicious URLs which the victim will click on and provide sensitive information to the attacker.
  • Pretexting: This involves the attacker presenting themselves to the victim as a legitimate (often senior) source, using fake credentials in order to receive sensitive data. Trust plays a big role in the success of pretexting.
  • Watering hole: Watering holes are web pages filled with malicious code that, once an individual has entered the site, installs a backdoor trojan on the victim’s device, through which the attacker can gain access to their private information.
  • Whaling attack: A variation of phishing that specifically targets senior executives of both government entities and private organizations. A ‘spear phishing’ scam email is often used and masquerades as coming from a legitimate source.
  • Quid-pro-quo: This type of attack offers the victim a promise of something beneficial to them (often a service or product) in return for executing a specific action directed by the attacker.
  • Tailgating: The attacker (who doesn’t have the required authorization to access particular data or areas) ‘piggybacks’ off an authorized individual to gain access. This type of social engineering attack is most often achieved in real life, whether it’s the attacker asking an employee to hold the door open for them, or literally ‘tailgating’ behind them when passing through a swipe-key entryway.

Imperva: What is social engineering

Infosec: The most common social engineering attacks

Top tips for prevention

Top tips for prevention

Prevention is always better than cure, which is why forward-thinking organizations must stay up to date on the latest evolution in social engineering attacks. Depending on the variation of the attack, there are a number of preventative tools at your disposal:

  • Educate your team: Conduct detailed and regular training sessions about social engineering attacks and the overall management of sensitive materials. Also create a ‘data playbook’ that outlines in-house policies for accessing, transferring and managing all sensitive data. At the top of the list should be the directive that staff never open emails or attachments from suspicious sources, or engage with unknown individuals online.
  • Multi Factor authentication: Buffer your business security by deploying at least two-factor authentication (2FA) across your applications.
  • Update everything: All your antivirus, antimalware and firewall software should be updated as soon as possible to ensure any vulnerabilities are patched before they can be exploited.

When it comes to protecting your sensitive information, Canon and high-quality security services go hand in hand. Canon Office Security prevents security breaches from malware attacks while streamlining your compliance obligations. Critical Document Governance ensures all sensitive data is sent to the right place at the right time – every time – and Document Digitisation automates document workflows, improves sharing and cuts printing and storage costs to save you money.

Related solutions

Explore Further

Find out how Canon’s office solutions can help you create a safer connected office