Social Engineering Countermeasures: Don’t Be a Victim

Widely considered one of the most dangerous threats that both individuals and organizations face today, social engineering is exceedingly difficult to prevent with threat intelligence and technology alone. So far in this blog series on social engineering prevention, we have covered the fundamental concepts of what social engineering is and how personal digital habits can create organizational risks, explored the various techniques hackers use for profiling their attack targets, shared real-world social engineering examples, and examined the rise of AI-fueled spear phishing at scale. This blog post offers social engineering countermeasures, and provides guidance to minimize the risk of falling victim to these attacks. We will cover a range of topics, including assessing and minimizing your online data footprint, employee training programs, simulated attacks, and integrating phishing detection solutions. Explore the steps you can take to stay one step ahead of the attackers.

What Kind of Target Are You?

One of the first things to consider in developing countermeasure strategies against social engineering, is to think about which type of attack target you might be. These attacks typically fall into one of the following three categories:

• Generalized broad-scale attacks targeting the general population by impersonating popular brands like PayPal, Amazon, etc., with the intent of compromising an individual for banking.
• Semi-sophisticated attacks against the general population that may use the context of the corporate environment to gain access to either internal or external company systems.
• Highly personalized and sophisticated attacks against C-Level or high value targets in a corporate environment to gain access to systems and/or other people.

Are you a job seeker that might get baited with the promise of employment only to find yourself embroiled in a scam that drains your personal finances? Do you have a job role that puts you in a position where you might be considered an easier target for an attacker to just get their foot in the door, and then move on to pursue more valuable targets? Or would you be the high value target — someone with direct access to sensitive company information like network access, banking details, etc.?  

Assess Your Online Data Footprint

The second countermeasure against social engineering attacks is to assess your online data footprint. Understanding what information is publicly available about you or your organization is crucial in protecting against these attacks, because using this information is how attackers manipulate victims by eliciting split second, emotional reactions that lead to being compromised. Again, as mentioned in the previous post, most attackers are likely to uncover more than enough details on targets by just perusing google and social media accounts. When it comes to social media, it’s important to emphasize that you need to consider ALL of the other individuals to whom you are connected because attackers will go after high value/corporate targets indirectly by searching for details offered by family members (spouses, kids, parents, siblings, etc.) or other acquaintances that may or may not share a desire for digital privacy.  In addition to social media and Google, you can also use HaveIBeenPwned to check if any of your personal or business email addresses have been involved in data breaches.  Post #2 in our series, Hacker Techniques: Profiling Social Engineering Attack Targets, offers a more extensive list of tools that may be used to assess your data footprint.

How Much Should You Minimize Your Data Footprint?

Once you’ve assessed your online data footprint, you need to make a conscious decision about how much data you are knowingly and willingly exposing and take steps appropriate to defend against attacks that could use this information against you.  If you choose to keep or grow a large online footprint, and you are a high value target, then you need to take social engineering countermeasures to try and minimize the amount of sensitive information available online with the end goal of making it more difficult for attackers to either manipulate or impersonate you. The extent to which you minimize your digital presence is an individual and personal decision that should take into account that individual’s level of risk.  And while an organization may not be able to dictate what personal information can or cannot be publicly shared by an employee, they can evaluate a person’s risk to assess the appropriate level or added security layers and training that may be needed to protect the organization’s security posture.  Those who fall into the category of high value or high risk targets would be likely to receive more comprehensive or intense training on how to avoid social engineering attacks vs those who have minimal digital footprints and overall low risk.  

Tips for Minimizing Your Data Footprint

1. Review your social media profiles and remove any sensitive information, such as your home address, email addresses, or phone numbers. 
2. Make sure your privacy settings are set to the highest level and consider limiting the amount of personal information you share on social media. 
3. Assume that any and every detail you share can be weaponized to use against you and exercise extreme caution when sharing details on websites, forums, and other online communities.
4. Only provide the minimum amount of personal information necessary and never share sensitive information, such as passwords or financial information.

Training and Awareness for Social Engineering Prevention

Because organizations are not able to dictate cyber hygiene standards to employees when it comes to their own personal data footprints, or control what happens outside the scope of the organization’s network, they must rely on phishing training and awareness programs as a key countermeasure to social engineering attacks.  Educating employees with routine training and updates is critical to reducing the organization’s risk because employees are both the first line of defense, as well as the easiest target to compromise. 

There are a variety of awareness training programs on the market geared towards training employees on recognizing social engineering attempts, and providing guidance on how to respond — or not respond — and report as appropriate.  Training courses can be delivered in a classroom setting, online, part of a simulated attack, or a combination of those elements. Keep in mind that to be effective, a social engineering prevention training program must be relevant, engaging, and include simulated attacks. This will help employees understand the real-world implications of social engineering attacks and better prepare them to recognize and respond to actual attacks in the future.

Simulated attacks are an especially valuable tool for assessing an organization’s risk level by testing preparedness and response to social engineering attacks. These attacks simulate real-world scenarios to deliver valuable feedback allowing you to gauge the effectiveness of your awareness training, evaluate the response of your employees, and assess the strengths and weaknesses of your current security measures. Simulated attacks are most effective when they are customized to meet the specific needs of an organization. This may include creating phishing emails that target specific employees or departments, or testing the response of employees to phone or in-person attacks.

Technology Solutions Including Phishing and Malicious Detection

While technology alone cannot prevent attacks, incorporating phishing and malicious detection solutions into your security stack is an essential social engineering countermeasure as this can significantly reduce the number of attacks that get through to employees via email, SMS, or web browsers. There’s no shortage of solutions on the market, however, organizations need to consider their risk factors when it comes to evaluating the options to guide the business justification and purchasing decisions.  

zvelo Phishing Detection and Threat Intelligence Solutions

zvelo offers a number of different solutions that can improve your organization’s defense strategy.  The best phishing detection solution will vary from one organization to the next and depend on the nature of the business, the industry, the type of data involved, cyber risk levels and more. Below are a few options that organizations should consider implementing to countermeasure social engineering and phishing attacks.

• zvelo Risk Assessment and Phishing Protection is a service that combines several crucial services including cyber risk assessments/scoring for high value targets or VIP individuals, highly customized phishing simulations, and phishing detection and protection for email, text/SMS and web browsing.
• PhishScan is a fast, easy-to-implement cloud API query service to get an immediate yes/no response as to whether a URL/IP is phishing.  Ideal for email/SMS/surfing applications that require real-time phishing verification lookups.
• zveloDB is the market’s premium URL classification database and web content categorization service, powering the world’s leading Web Filtering and DNS Filtering, Endpoint Security, Endpoint Detection and Response (EDR), and other security applications.
• PhishBlocklist supplies curated phishing cyber threat intelligence for comprehensive protection against active phishing threats in the wild. Provides detections and rich metadata attributes like date detected, targeted brand, and other crucial data points.

Cyber Hygiene Best Practices

In addition to any type of training or technology solution, creating good cyber hygiene habits can be a very effective social engineering countermeasure.  zvelo’s Cybersecurity Team recommends the following high impact, cyber hygiene practices to make your organization a hardened target:  

1. Organizations need to implement multi-factor authentication (MFA) to make it more difficult for an attacker to use credentials obtained through social engineering.
2. Enforce password management policies that require complex and hard to guess passwords. Additionally, users with both admin and regular accounts must be required to set a unique password for both.
3. Make sure all of your software and operating systems are up-to-date. This will help to ensure that any vulnerabilities are patched and your device is secure.
4. Ensure ports, protocols, and services that do not have business users are turned off.  Those that do, need to be updated from legacy services (e.g. Turn off SMB v2).
5. Establish least privilege access and ensure proper separation of permissions by conducting an audit on groups in your organization.  Limit permissions to only those who need them and have a specific purpose. (e.g. Someone on the Engineering team doesn’t need access to the HR files.)
6. Divide Responsibilities: Implement a separation of duties for critical processes, such as wire transfers, between multiple parties so that even if one employee is tricked, the action cannot be completed without engaging the other party or parties.

Next Up:

Worst Case Scenario:  What To Do If You Are A Victim Of Social Engineering