The Ultimate Guide to Phishing & Social Engineering

When a growing organization is trying to find an effective approach to cybersecurity, the options can get overwhelming. You want to protect your organization from risk, but it’s hard to figure out which resources are worth the investment. Some teams might ask if they need to hire additional cybersecurity personnel or purchase automated tools that can play the role of a security team. 

However, there’s good news: your organization already has the right team in place to take significant steps toward cybersecurity success. You’ve already hired them, and they’re well suited to implement some of the most effective cybersecurity practices.

Who is this team? You might be surprised to learn we’re referring to your current employees. When your staff is well-versed in the basics of phishing and social engineering, you can take your organization’s cyber-risk mitigation to the next level without even needing to hire an in-house security team. To further bolster your team’s defenses, we’ve compiled a guide to phishing and social engineering so your organization can take the first steps to prevent cyberattacks.

How Employees Can Prevent Cyber Risk

Your organization’s employees are integral to your company’s cybersecurity posture because they protect what no one else can: the files, data, and intellectual property that pass through their computers, inboxes, and cloud storage daily. 

Since it’s up to your staff to protect all these assets, a slight misstep from one team member could harm the whole organization. As social engineering is the most common type of cyberattack to affect employees and phishing tends to influence today’s largely remote staff, we’ll focus on these two cyberthreats and how your team can protect your organization.

What is social engineering?

Social engineering is when a bad actor uses persuasive tactics to manipulate someone’s emotions or behavior to get them to divulge sensitive data or restricted information at a business. Many are well-versed in human psychology and employ advanced methods to access user credentials, sensitive data, etc. 

What is phishing?

Many organizations are shifting toward cloud computing, making phishing a common type of social engineering in today’s business world. Phishing is a form of psychological manipulation that uses an email, text, phone call, or malicious website to obtain sensitive information. A bad actor poses as a trustworthy organization or person, tricking the user into giving information to this “trusted” entity. Phishing emails are the #1 threat vehicle that results in a cyber breach, costing organizations nearly $14.8 million annually. 

Common Social Engineering & Phishing Tactics

When it comes to phishing, attackers tend to use a variety of tactics and tricks. These methods have evolved in complexity and sophistication over the past few years, especially after the pandemic. 

Spear-phishing

Spear-phishing involves attackers targeting a particular person/audience, using sophisticated tactics that will be more likely to work on that group. For example, an attacker could target new employees by spoofing the senior leadership team and urgently asking for private information such as a W2 form or bank account information. Since so much information is readily available on websites, social media pages, press releases, etc., it’s easy for attackers to get the details they need to craft a believable email and request.

Whaling

A close relative to spear-phishing, “whaling,” focuses on performing these 1-to-1 attacks on C-level staff. They use more advanced methods to deceive higher-up employees. While more complicated, many attackers still focus on whaling because they can get much more out of the attack. 

Smishing/vishing

Smishing utilizes SMS (texts) rather than emails to access sensitive data. Vishing leverages voice phone conversations to perform the attack. Both use techniques like personalization and urgency to gain trust or cause panic, requesting the end-user to send the information over the phone or click on a malicious link in a text message.

Business email compromise

BEC targets businesses that perform wire transfer payments, often either as part of normal business functions, or with certain customers or vendors. According to the FBI, “the scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

Essentially, the scammer either spoofs or works to gain access to high-level accounts, then uses this legitimate email to trick employees into transferring money or changing account or wire details. 

Strategic Tricks

To execute these tactics, attackers use a few tricks to drive urgency and fear and/or build trust with their victims. A few of these tricks can include:

CEO impersonation 

By impersonating a CEO or other executive, attackers can both gain the trust of employees and create a sense of urgency (i.e., “why is the CEO emailing me? Am I in trouble? Do I need to take immediate action?”)

Playing off emotions 

Hackers often create this urgency by using reward/penalty (“Your account is suspended and will be deleted in 24 hours; click here to resolve”), fear, curiosity, greed, or current events. For example, Google blocked 18 million pandemic-related scam emails per day during the height of the pandemic to exploit people while they were most vulnerable.

Pretexting 

Attackers use pretexting to combine fact and fiction, creating a seemingly legitimate backstory as to why the victim should trust them. Often, these scammers will perform research beforehand, even going so far as to use real information that was shared publicly on websites or social media, or private information that may have been leaked in a past data breach.

Wide net phishing with common services

Some attackers utilize trusted platforms such as Zoom, Slack, or common services such as UPS and FedEx to perform large phishing schemes. They create a spoofed login page to a popular site, then trick users into logging in on the fake webpage with their actual credentials. 

No business is “immune” to phishing attacks

Just because an email, phone call, or message comes from a familiar source doesn’t mean that employees can trust it. This year, big names such as Microsoft, Facebook, Amazon, and Netflix experienced phishing incidents, which directly targeted their users.

A ZDNet article recapped the Microsoft attack, explaining, “Microsoft put out an alert after observing an active campaign targeting Office 365 organizations with convincing emails and several techniques to bypass phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site that urges victims to type in their credentials.”

How to Prevent Social Engineering and Phishing Attacks

Organizations can take measures to prevent these types of attacks, turning potential threats into an opportunity to foster a better overall cybersecurity posture.

Training first!

Organizations must train employees to spot phishing attacks. Going against social engineering attempts can be counterintuitive, which is why employees need consistent, clear guidelines on avoiding them. A few ways to implement training include: 

Awareness Training — Provide new hires with a baseline of cybersecurity fundamentals through a classroom-style awareness video at the beginning of employment and reinforce annually for all employees.

Awareness Graphics — Share visual reminders digitally or in-office to frequently remind employees to remain vigilant against cyberattacks.

Technology Acceptable Use Policy — set clear expectations and provide detailed guidance regarding technology use at work with a straightforward policy.

Awareness Videos — Strengthen your cybersecurity culture with monthly, relevant, and engaging short training videos

We recommend answering the “what’s in it for me” question many employees may have. The bottom line is that good cybersecurity training means job security and better cyber protection for individual team members and their loved ones. Phishing techniques aren’t just used in the workplace but can also be found in personal inboxes and on mobile devices. 

Testing second!

After training, employees need to test their skills. For instance, the training should include education on verifying inbound requests (and confirmation from the sender). Give your employees a way to practice these techniques in a hands-on environment. 

Ongoing practice

 Phishing simulations allow your employees to practice spotting phishing emails without the risk of real attacks. Regularly send unannounced fake phishing emails that mimic real malicious emails to employees. If any of them take the bait, it is important to educate them immediately after clicking on the link. These practices allow organizations to see who clicks on what and drive top-of-mind awareness.

Implementing technology solutions 

Technology solutions can also safeguard your employees from phishing attacks. These include email security protocols such as Domain-based Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), Multi-Factor Authentication (MFA), along with email/spam filters. 

Technology alone cannot stop these attacks, so organizations must first train their employees and give them the tools they need to succeed. Implementing these tips takes an end-to-end cybersecurity approach, including employee training, phishing simulation options, and technology solutions. 

TL;DR

• Your organization already has the right team to take significant steps toward cybersecurity success— your employees.
• Phishing falls under the category of “social engineering” because it’s a form of psychological manipulation that uses an email, text, phone call, or malicious website to obtain information remotely.
• Cybercriminals use various tactics to carry out phishing attacks that range in sophistication, but usually play off urgency and emotion.
• Ongoing cybersecurity training, practice, and technology solutions are the best defense against phishing attacks.