Social Engineering Awareness Training for Employees
Social engineering training helps to defend against sophisticated phishing attacks. Educate and train your employees to prevent a socially engineered attack.
- Social engineering coaxes targets into divulging sensitive information so cybercriminals can gain access to systems, data or physical spaces.
- There are a variety of social engineering tactics that attackers use.
- Social engineering training gives people the tools they need to recognize threats, which grooms more discerning, responsible employees who are better equipped to protect both themselves and their organization.
An employee receives an email at work asking them to share network login details. Because it’s from a company executive, they do. The problem: They just fell victim to a social engineering attack, and now the organization's data — or finances — are at risk.
Social engineering is a category of cyberattack that aims to trick people into sharing sensitive information that gives an attacker access to a system, physical space or data. These attacks don’t stem from social media as some may think; social media does, however, make it easier for attackers to gather personal details to create convincing social engineering attacks.
For businesses, social engineering attacks can be devastating. They’re the driving force behind business email compromise (BEC) — the U.S.’s costliest phishing scam in recent years, accounting for more than $1.8 billion in losses during 2020.[i] With the proper employee cybersecurity awareness training, however, organizations can reduce the risk and likelihood of these attacks.
What Is Social Engineering?
Social engineering is a psychological manipulation technique that coaxes victims into divulging sensitive information in order to gain access to systems, data or physical spaces. Rather than an attacker searching for a software vulnerability to exploit, they take advantage of human psychology: A hacker might fabricate a pretense to gain the trust of an individual and ultimately convince them to share access credentials to systems or an office space, or wire funds, for example. Social engineering attacks tend to target individuals who have special access to these assets.
Importance of Social Engineering Training
Social engineering is a difficult cybersecurity threat to protect against because the tactics that attackers use prey on an individuals’ reasoning. When employees haven’t been trained to recognize social engineering attacks, the risk of falling victim rises. Because social engineering training plays such a critical role in minimizing threats, many organizations take cyber awareness training very seriously.
By 2022, for example, research firm Gartner projects that 60% of large organizations will have a full-time equivalent dedicated to security awareness.[ii] Social engineering training, which is often a part of security awareness programs, gives employees the tools they need to recognize these types of attacks, which helps groom more discerning, responsible employees who are better equipped to protect both themselves and their organization.
Top Social Engineering Attack Techniques
Attackers use a variety of tactics to gain access to systems, data and physical locations. The top social engineering attack techniques include:
- Baiting: Baiting attacks use promises of an item or good to trick users into disclosing their login details or downloading malware. Online, the bait might be an ad promising a free music download. In the physical world, it might be an infected flash drive left where an employee is likely to find it. The bait might contain malware or convince the victim to divulge a username and password.
- Scareware: This tactic manipulates victims with false alarms or fictitious threats. A pop-up might appear on the victim’s device that alerts them that their system is infected with malware. It prompts them to install software or visit a site that ultimately infects their device.
- Pretexting: Pretexting is a scam in which an attacker obtains information through a series of lies. The attacker typically impersonates someone in an authoritative role — an executive or law enforcement official, for example — in order to gather personal data or gain access to financial accounts.
- Phishing: Phishing scams target a victim via email, telephone or text message by posing as a real figure to convince victims to disclose sensitive data. This might include bank or credit card details, usernames and passwords.
- Spear phishing: Spear phishing is a targeted attack that aims to steal sensitive information via email from specific individuals or groups within an organization. In a spear phishing attack, hackers assume the identity of someone trusted — a coworker, customer, manager or friend, for example. The attacker’s goal is to convince individuals to divulge information or perform actions that cause data loss, financial loss, or that otherwise compromise the network.
- Tailgating: Tailgating is when an attacker seeking entry into a restricted area follows behind an individual to gain access to that area. The attacker, for example, might dress as a delivery driver and carry packages, then wait for an employee to open the door. This could enable the attacker to bypass security measures.
- Watering hole: In a watering hole attack, hackers aim to compromise a specific group of users by injecting malicious code into a website that members of the group are believed to visit. The goal is to infect the targeted users’ computers to gain access to the network at their workplace.
- Whaling: This type of phishing attack targets high-profile employees, such as the CEO or CFO, in an attempt to steal information or money from the company. The attacker might send the victim a highly customized and personalized email that appears to be from a trusted source, making the scam difficult to detect. The goal is often to manipulate the target into authorizing high-value money transfers to the attackers.
What are the Potential Repercussions of a Successful Social Engineering Attack?
Social engineering is an exceptionally effective form of cybercrime. In 2019, for example, phishing, a subset of social engineering crimes, was responsible for a quarter of all data breaches — more than any other type of attack.[iii]
The repercussions from these common attacks can be significant. Because most social engineering attacks are driven by financial gain, organizations stand to suffer considerable financial loss. In 2020, for example, U.S. losses topped $4.2 billion, according to the FBI.[iv]
Companies might also experience a major business disruption — loss of productivity, a decline in employee morale and downtime as the organization recovers. The process of recovering from a social engineering attack can carry a hefty price tag: Often, organizations must hire an incident response team, purchase security software to help prevent future attacks and retrain employees. Moreover, businesses that fall victim to a social engineering attacks could suffer damage to their reputation if customers no longer feel confident that the organization can protect itself.
9 Tips to Defend Against Social Engineering Attacks
As social engineering attacks become more sophisticated, they become more difficult to prevent. Nevertheless, there are important actions that cybersecurity awareness training can teach employees to take.
- Be suspicious of unsolicited messages and calls asking about other employees or business-related information.
- Never provide personal information or information about your company unless you are sure the person is authorized to have it.
- Don’t type sensitive information into a web page before checking the security of the website.
- If you are unsure whether an email request is real, contact the company directly — in a separate channel — to verify it.
There are also leading practices that IT and IT security organizations can take:
- Train employees to recognize the signs of social engineering.
- Implement network segmentation as well as multifactor authentication to ensure that only people who need access to a system have it.
- Deploy advanced email filters, which can detect scams and filter fake emails before they’re delivered to employees.
- Install and maintain antivirus software and firewalls.
- Keep all software up to date — this is more critical than most IT staff realize and, therefore, is often overlooked.
The Bottom Line: Social Engineering Training Can Help
Increasing knowledge through social engineering awareness training is one of the most effective ways to reduce the risk of a social engineering attack. Leading security awareness training solutions address social engineering and more in three- to five-minute modules to ensure that employees aren’t burdened by a big time commitment and remain productive. Mimecast Security Awareness Training uses humor to engage users — a proven tactic that the American Psychological Association says engages employees, helps them retain critical information about emerging security topics, and ultimately changes their behavior.[v] Not only does social engineering awareness training help employees understand the role they play in helping to combat social engineering attacks, it acquaints them with best practices and behavior.
[i] “Internet Crime Report 2020,” FBI
[ii] “Hire the Right Teachers for Better Security Awareness,” Gartner
[iii] “Verizon Money makes the cybercrime world go round,” Verizon
[iv] “Internet Crime Report 2020,” FBI
[v] “How laughing leads to learning,” The American Psychological Association
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!