How to prepare for the future of social engineering

Even the best cybersecurity defenses all share a common weakness – the human element. It might be technology that often gets the blame, but the truth is that social engineering is behind a staggering 98% of attacks. After all, it’s much easier to exploit human behavior, whether it’s a lack of enthusiasm towards work, ignorance, or unpreparedness than it is to break through modern encryption engines.

Social engineering is hardly a new concept. In fact, the earliest widely reported use of social engineering happened in 1184 BC, when the Greeks used the Trojan Horse to get behind the gates to the city of Troy. Thousands of years later, the same principles apply, in which the attackers use deceit to get victims to take a desired action. In this case, that action is usually the surrender of valuable information, such as login or financial details.

Before the rise of technology, social engineering attacks relied on physical letters or word of mouth. Then, as early as the 1960s, scammers started using phones. However, while the broad premise has always been the same, the mediums used to conduct such attacks have changed immensely.

Phishing, now the most common form of social engineering, quickly took the world by storm with the rise of email, but now we have an ever-growing range of instant messaging apps and other online platforms to think about. If a tool provides a means to communicate, then it’s also another potential attack vector for criminals to exploit.

What has changed in recent years is that social engineering scams have become much more sophisticated. They’ve moved far beyond the spam emails characterized by appalling spelling and absurd claims to highly targeted and convincing attacks carried out over many different channels. For example, a scam might start with a phishing email before moving the victim over to a channel that’s less likely to be monitored by their employer, such as a personal WhatsApp account. With more people working from home and more devices and networks connecting to the back office than ever before, it has become notoriously difficult to keep track of potential vulnerabilities.

The unstoppable rise of social engineering doesn’t stop there. Over the next few years, we’ll undoubtedly witness the increasing use of artificial intelligence and deepfakes in social engineering scams. Deepfakes include images, videos, and audio created by AI that can be highly convincing imitations of real people. Moreover, anyone can create a deepfake using readily available software. Now, imagine someone, who looks and sounds like your employer calling you on WhatsApp, asking you to wire them money. Perhaps that sounds far-fetched, but as one employee at a UK energy firm found out back in 2019, the threat is all too real. In that case, it ended up costing the company €220,000 in a fraudulent transfer.

Because social engineering is a human problem rather than a technical one, preventing it must start with people. Continuous awareness training is vital in any business since it helps keep your team up to speed with the latest threats. For maximum effectiveness, training should also use simulated social engineering scams across a range of common channels, such as email, instant messaging, and social media. In particular, training programs should pay attention to the more advanced and targeted types of scams that spam filters are less likely to identify.

While security awareness training is the single most important part of any social engineering mitigation strategy, the scale of the problem also suggests you need to have the right tech and processes in place so that the more people-orientated countermeasures don’t end up being hugely disruptive. These additional measures include having clear policies around what employees should and should not do at work, which apps they should be allowed to use, and the minimum security standards that must be enforced.

For example, it must be compulsory for employees to use approved channels only for business communications. The penalties for circumventing them should be clear too. Most importantly, however, employees need to understand the why of it all. If, for example, you disallow the use of a personal WhatsApp account for work, it’s important that employees know why. After all, trust and transparency are central to any people-orientated security strategy. No one wants to feel they’re being subjected to unnecessarily oppressive security controls.

Although education is undeniably an essential driver of any security-aware culture, even the most security-conscious employee isn’t infallible, especially as social engineering attacks get evermore convincing. That’s why businesses must also leverage technology to augment the capabilities of their security and compliance teams.

Since instant messaging and other popular business communication channels have become the main focus areas of social engineering scammers, it’s especially important to pay attention to these apps. While most attacks may still start with a phishing email, attackers realize that business email accounts are closely monitored. Because of this, they often try to get their would-be victims onto another channel, such as WhatsApp, which is less likely to be monitored by the security team. To mitigate such threats, you must monitor all communication channels used for work, enabling proper compliance and security.

A robust cybersecurity strategy is two things – proactive and transparent. When we talk about proactive security, we’re talking about innovations like heuristic scanning, AI-powered context analysis, and advanced threat detection. These must be applied across your environment to detect and flag potentially suspicious behavior, rather than just known threats like documented malware or phishing messages.

To ensure transparency, it’s imperative that business leaders know what’s going on and where. It’s about preventing off-channel communications and mitigating the security and compliance risks that accompany their use. It’s also about employees having a thorough understanding of the security policies in place and their roles and responsibilities in upholding them. 

Ultimately, preparing for the future of social engineering comes down to building a business-wide culture of accountability and an environment where everyone is aware of the evolving risks. The role of technology is to augment those capabilities.