The end goal of security awareness training is to turn users into proactive defenders for the business. Users must understand and embrace their critical, front-line role they play in helping to protect the organization. They need to know how attackers manipulate them to enable their campaigns and why they are being targeted. That makes social engineering— which plays a role in almost every human-focused attack—a foundational cybersecurity awareness topic.
About this series
Today’s cyber threats rely on human interaction, not just technical exploits. In fact, 82% of data breached in Verizon’s 2022 “Data Breach Investigations Report” involved the human element. As the report puts it, this reality “puts the person square in the center of the security estate.” Attackers use social engineering to trick people into clicking unsafe URLs, opening malicious attachments, entering their credentials, sending sensitive data, transferring funds and more.
This is the first of our six-part blog series covering topics all you should address in your security awareness training> Leading up to Cybersecurity Awareness Month in October, we’ll cover:
- Social engineering
- Business email compromise (BEC)
- Social media
- Insider risk
Even your savviest users can benefit from reviewing the basics of social engineering as part of their awareness education. So let’s start from the top with a definition.
What is social engineering?
Social engineering is a collection of techniques that malicious actors use to manipulate human psychology. It’s exploiting human nature to trick or threaten users to take actions such as:
- Giving up account credentials
- Handing over sensitive data
- Running malicious code
- Transferring funds
Why do attackers rely heavily on social engineering for so many campaigns? Because they know that people are the easiest way into an environment. (Plus, why do all the dirty work when you can get someone else to do it for you?)
How attackers use social engineering to exploit people
When covering social engineering as part of your cybersecurity awareness, be sure to also discuss how attackers exploit users with these techniques. For example, explain that threat actors will take advantage of users’:
- Emotions, by conveying a sense of urgency, generating excitement about an opportunity, or creating fear around losing money or doing something wrong
- Trust, by posing as someone the user trusts or abusing a trusted brand or authority (such as the IRS, UPS, Amazon and Microsoft)
- Fatigue, by timing attacks when users are likely to be tired or distracted and more inclined to let their “emotional mind” guide their decision-making
Types of social engineering attacks
Security awareness training on social engineering should review these common techniques:
- Phishing. This method refers to sending malicious emails to trick people into doing something on the attacker’s behalf. They usually involve clicking a malicious web link in the email or an email attachment. Research for the “2022 State of the Phish” report from Proofpoint shows just how prevalent and effective phishing is: In 2021, 86% of organizations faced bulk phishing attacks. In phishing simulations, 1 in 5 users opened an email attachment, and 1 in 10 clicked on a link.
- Social media reconnaissance. Attackers often use social media to gather information about users that they can leverage as part of another campaign. For example, they might gather information from LinkedIn about a company’s top executive so they can impersonate that executive in a phishing campaign. Posting as the executive, the attacker might target users in the financial department. Attackers’ reconnaissance efforts may also include direct outreach to a target.
- Vishing and smishing. With this social engineering technique, attackers use text messages and voice-changing software to send SMS messages to users or robocall them. The messages often promise gifts or services in exchange for payment. These types of scams are called vishing (voice phishing) and smishing (SMS/text phishing). (Check out our blog to dig deeper on the differences between vishing and smishing.)
- Telephone-oriented attack. As we explain in our “2022 Human Factor” report, telephone-oriented attacks, also known as call-back phishing, have surged in recent months. These attacks often start with email and play out over multiple channels. But the linchpin of this approach is a person-to-person phone conversation. Naturally, these attacks require the victim’s active participation. Telephone-oriented attacks start with an email that claims to be from a legitimate source and includes a phone number for customer assistance. Callers are connected to fake customer service representatives. These “representatives” then navigate the victim through the attack. They may instruct the victim to let them access their machine remotely or download a file that turns out to be malware.
Tips for users on how to avoid social engineering attacks
Wrap up your social engineering training with some tips that your users can start putting into action right away. Recommend that they:
- Never blindly trust anyone who contacts them by email, phone or social media.
- Slow down and think twice before taking any action—such as carrying out a request to send money or buy gift cards without confirming the sender (and the request itself) is legitimate.
- Never share personal information, such as phone numbers or home addresses, in social media posts.
- Be cautious about clicking on links and opening attachments. And never give anyone your credentials.
Finally, remind users that common sense can go a long way toward preventing a social engineering attack. If it seems too good to be true, it’s very likely a scam. And if something doesn’t look or sound right, it probably isn’t.
Stay tuned for more end user security awareness topics
In the next installment of this blog series, we’ll explore phishing in more detail. We’ll suggest ways to educate your users on this critical cybersecurity awareness training topic.
Meanwhile, if you’re looking for more resources to inform your training program and help your users build better security habits, visit our Cybersecurity Awareness Hub.
Proofpoint Security Awareness Training can also help you build a security culture that drives behavior change.