What is social engineering?

There are various kinds of hacking, but one that's especially hard to control and based on human behavior is social engineering. It's a type of hacking that has almost nothing to do with technical security but everything to do with convincing people to divulge sensitive information or otherwise comply with an attacker's requests. This situation might involve downloading a link with malware, sending a confidential document, giving out one's social security number, or initiating a payment. A social engineering hack can target both personal information and business data.

These data breaches are a significant concern for every business, and social engineering is the most common type of breach — it made up about 35% of them in 2021, according to Verizon's Data Breach Investigations Report. Unfortunately, while employees are often your most valuable asset, they can pose significant risks if you don't take precautions. 

Keep reading to learn more about social engineering and how you can protect your business from it.

Generally, social engineering involves tricking the victim into taking an action they usually wouldn't because the hacker is preying on their emotions. It can include run-of-the-mill money-making schemes, corporate espionage, extortion, and many other techniques, all of them targeting the human element. A social engineering attack focuses on how people think and act, with the attacker looking to exploit common reactions and emotions like fear, embarrassment, and urgency. These heightened feelings tend to make people act less rationally.

Common goals include stealing money, obtaining corporate data, destroying data, and stealing or selling personal information. There are many types of social engineering attacks and many ways of enacting them. As a result, it's essential to know how a social engineering attack usually takes form.

What does a social engineering attack look like?

These attacks can appear different, but they often follow a similar pattern of steps. First, the attacker collects information on the business or person they plan to target. This information might include the organization's structure, company-wide lingo, or the chain of command, so they know how to impersonate and infiltrate a company. Additionally, they might look businesses and people up on social media or networking sites to understand them better.

Then, the attacker positions themselves as a trusted entity, such as a financial institution or a coworker. This impersonation often occurs through convincing emails or hacks into the coworker's email or social media accounts. Next, they can request whatever they're trying to receive from the victim. For example, they could ask them to "confirm" their address or social security number or click a link that downloads malware or asks them to log in to a fake website.

Often, social engineering hackers target low-level employees who still have access to the information they need, like confidential data or a controlled system. These hackers rely on employees not realizing their intentions of using the data for nefarious goals. No matter the target, attackers will usually try to appeal to emotions like fear and urgency. If they can convince someone that a threat requires immediate action, the victim is less likely to stop and scrutinize the communication, so they miss the red flags.

Below are some common types of social engineering techniques:

Emails from a friend

If a hacker gets into one person's email, they have easy access to all of their contacts — and sometimes other accounts — if they use the same password across services. If your friend's email is hacked, you might get a message from them and trust it without thinking. That odd link or attachment they sent you could be riddled with malware, but you're less likely to stop and check when it comes from the email account of a trusted friend or coworker.

Emails from another trusted source

Messages that look like they come from other reputable organizations, like a bank or the government, can be tough to differentiate from scams. These are phishing attacks, and they can be incredibly sophisticated. Scammers might pose as representatives from the organization and ask you to:

• Confirm or update your information, thus giving the scammer the info instead
• Install or update antivirus software and download malware instead
• Donate to a cause but send the money straight into their bank account
• Collect your winnings after "proving" your identity
• Send over confidential data to a "business partner" or "coworker"

Most phishing attempts cast a broad net and target as many people as possible. The sender might impersonate a widely-used company, like a big bank or a store, and copy the general outline of legitimate emails and often look real. Still, some will have apparent typos or inconsistencies that give them away.

Other types of phishing attacks include spear phishing, which is tailored to a specific person, and whaling, which targets high-profile individuals such as a CEO. These types of phishing require a little more preparation but often have bigger payouts for the scammers.

Baiting scenarios

Sometimes, hackers use their victim's desires to exploit them. Someone might get an email advertising free access to the latest big movie release or a deal on a laptop that's too good to be true. Other examples include winning a lottery you never entered or being asked on a date by a photoshopped supermodel. They usually try to make these offers look legitimate with planted 5-star reviews or false organizations, similar to phishing. When someone takes the bait, they could be downloading malware, submitting private information, or making a purchase they never end up receiving.

If baiting involves illegal or frowned-upon activities, the hackers could be banking on the fact that the target won't want to come forward and report the incident. Say an employee gets an email to their work account from an employment forum. Because they're looking for a new job, they click the link and it turns out to be a phishing attempt. This employee may not want to report the incident to IT or the police because it'd mean telling their employer they were job-hunting. The same applies to offers for illegal services.

Another interesting baiting strategy that some hackers use is dropping a USB drive into a common area of a business. Someone picks it up and plugs it in to see what's on it and they've suddenly installed malware onto their computer system. For businesses without clear handling policies for external devices or suitable security measures in place, this method can send confidential business data right to the hacker.

Response to a question you never had

If you see a person responding to a request for help you never made, it could be a scam. A common trick hackers will try is to offer assistance with fixing your operating system or a flaw in your antivirus software. These situations can involve more in-depth hacks in which they request remote access to your computer or enter commands that grant them access to your files. These hacks could also be as simple as getting your login information from a fake site.

Another common tactic that falls into this category is scareware. Alerts that sound the alarm and tell you your computer is infected are often trying to implement malware of their own. The hackers tell you you need their help or to download an update to remove the virus, but you're just downloading malware in the first place. In some cases, hackers attempt to pull off this scam in real life by posing as a support technician who's there to fix something.

Creating distrust

Scammers may try to create fake drama or suspicion to pique their victim's interest or get them angry or concerned. An example might be an email that tells someone to check out what's "really" going on with their significant other. Curiosity makes them click the link and take the bait.

More advanced hacks can even rely on doctored photos and videos to extort their targets. Consider an employee who's falsely edited into an incriminating photo or video. Attackers could blackmail the employee to do what they want or trick them into something as simple as clicking a link thanks to the new sense of urgency.

Tips to avoid social engineering attacks

Avoiding social engineering attacks is all about staying alert and knowing how to identify them. Individuals must learn to look for the classic signs of social engineering attacks, and businesses need to implement strong technical failsafes if they want to protect their assets.

Some social engineering red flags to watch for include:

• Odd email addresses that don't match up to the sender
• Links that, when hovered over, don't display the same link as the text
• Unexpected attachments and links from friends and coworkers
• Emails from official sources that have typos, strange formatting, or graphical errors
• Organizations that should already have your data asking for personal information
• A sense of urgency or pressure to act
• Phone numbers, emails, and addresses that are inconsistent with information on the company's official website

How to protect yourself

A company has a lot at stake when it comes to social engineering attacks. These scams could bring operations to a screeching halt, dig into finances, or create reputational damage that requires a long recovery. That's why it's essential to address social engineering from a few different angles.

To protect yourself or your business from social engineering, consider the following steps:

1. Do your research

If you see or receive something suspicious, take it slow and do your research. Be sure to stop and check the sender's email address, search for the organization's official webpage — not the one listed in the email — to get its information, and hover over any links to make sure the source is legitimate. Don't give in to a false sense of pressure encouraged by the email. If you get a random link or attachment from a friend or coworker, send them a text or stop by their office to confirm.

2. Secure devices

Always ensure you have comprehensive protection on both personal and business devices. These include tools and software like:

• Antivirus
• Firewalls
• Email filters
• Anti-phishing tools
• Email and web gateways

These features can help protect your data in case you or a coworker falls for a social engineering attack. Even if you or an employee download malware, the proper antivirus can keep it from infecting the device.

Furthermore, access controls are another key part of device security. Restrict data access to just those who need it to minimize a hacker's success should they get into someone's account. Having two-factor authentication (2FA) can help confirm a worker's identity more thoroughly before they're able to access company information. 2FA asks the user to provide two types of information during login, so it's harder for hackers to get into an account.

3. Set spam filters to high

Because so many social engineering attacks occur through email, make sure your email client is set to provide as much spam protection as possible. Most have options that allow you to increase the thresholds that determine which emails get sent to spam folders.

Today's spam filters have progressed in functionality, intelligently looking for markers of spam messages and quietly diverting them off to a junk inbox. Some of the things they look for include deceptive URL spellings, security signatures, attached executable files, and the sender's presence on a blacklist.

If you can quickly identify a scam message, remember to mark it as "spam" in your email to ensure you don't receive any more messages from that sender.

4. Perform regular penetration testing

It may help to use penetration testing to hack your own system to identify weak spots. Ideally, you can find them and fix them before the attackers do. These tests are key to understanding your procedure's effectiveness, which should incorporate several social engineering safeguards. As an example, you may want to send a fake phishing email and see who falls for it or do a social media search to see what information you can uncover about employees that could be used against them.

Remember the importance of physical security, too. Try testing security guards on their ability to catch fake delivery drivers or repair personnel. Ensure they look out for tailgating, which occurs when a person enters the building closely behind an employee without proving their identity. Ensure employees know how to securely handle their work devices, such as signing out when they leave their desks.

Overall, penetration testing provides a valuable measure of how well your employees understand social engineering attacks. With these metrics, you can track readiness and better understand where to focus employee training needs.

5. Train employees on social engineering attacks

On a similar note, conduct regular employee training on social engineering threats. These threats can change rapidly, so keep training up-to-date. Provide examples of phishing attempts with clear instructions for how to address them.

If you don't already have one, set up a phishing response program with your company's IT team. This plan usually entails a dedicated email to which employees can forward spam emails. Then, the IT team can investigate the email and work to prevent it from doing any more damage to the company.

6. Update software regularly

Updates are critical for the success and stability of your software, especially for programs like antivirus and gateways. Many hackers exploit problems that patches already exist for but you haven't downloaded yet — in fact, that's how Equifax got hacked back in 2017. Ensure that employees or IT technicians update devices regularly and install patches as soon as possible. Ideally, updates should occur automatically or by the IT staff on a set schedule.

7. Keep track of who has access

Always stay aware of who has access to what information, especially if you work with a lot of sensitive data. In many instances, employees can access more information than they really need. This access leads to more damaging breaches if someone accesses their account or requests copies of confidential information. Set up access controls where appropriate — document-level access controls can keep only necessary users involved and provide greater accountability should a breach occur.

8. Use separate networks for the business and guests and a VPN

Never allow guests onto your company's WiFi network. If necessary, set up a guest network to keep them separate and prevent network hacks from affecting the entire business.

A virtual private network (VPN) can also be a good idea, especially if you have a lot of remote workers on staff. VPNs offer end-to-end encryption for the internet connection of a device, increasing security and providing safer remote access.

9. Back up your data

Backups might not prevent a breach, but they can prevent you from being extorted or losing as much progress in the event of a hack. One form of malware can corrupt data and blackmail a company into paying a ransom to get it back. If you've recently saved your files to the cloud or through a different data storage method, you're all set and don't need to worry about giving in to those demands. Besides, it's simply good business practice.

How Box can protect your sensitive data

At Box, we know how tricky it can be to stay on top of social engineering attacks. While you can't control everything your employees do, you can minimize the effects of social engineering or avoid it altogether with the right tools. The Content Cloud from Box is a robust content management platform with an array of features designed for data security and information handling. With Box, you get full visibility, built-in control, and simplified compliance. 

Some of the security features of Box include:

• AES 256-bit encryption
• Granular permissions capabilities
• 2FA user authentication
• Complete audit trails
• Multi-layered watermarking
• Seamless integrations with top-tier security and information governance programs

Box Shield allows you to drill down on security even further with the following features:

1. Automated or manual classification options

Classify your content in the way that works best for you. Natively identify personally identifiable information (PII), intellectual property, and custom terms in your files. Then, classify them according to custom policies.

2. File controls for data security

Quickly configure access policies and control content in real-time for added security and granular permissions that fit the needs of each file.

3. Machine learning

Let Box intelligently detect threats — machine learning allows Box Shield to deliver timely alerts for insider threats, malware attacks, and compromised accounts.

4. Integration with industry-leading security tools

Box's native controls can be a valuable addition to your security portfolio, with integrations for many commonly used security tools from partners like Microsoft, IBM, McAfee, Splunk, and Sumo Logic.

Learn more about what Box has to offer

From signed contracts to presentations and photos, your content is what keeps your business moving. Box is the go-to source for keeping it secure and accessible. With more than 1,500 integrations and numerous features, Box's cloud-based service lets users access their files anytime, anywhere while maintaining enterprise-level security. Whether you need to meet complex industry regulations for a multi-million dollar company or keep a few hundred gigabytes of data safe, Box is here to help.

Of course, security isn't the only thing you get with Box. We also help users make the most of their content through a user-friendly interface, tools for collaboration, workflow automation, and total administrative control. To learn more about bringing your data to the Content Cloud and taking advantage of its security features, reach out to a Box representative today.

**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.