It is estimated that companies worldwide suffer billions worth of damages each year due to social engineering attacks. In response to the significant advancements made by companies in strengthening their technical defenses against cyberattacks in recent years, attackers are seeking new methods to gain unauthorized access to networks and obtain data. In essence, this is not a new phenomenon, but rather a shift back to the traditional methods used by attackers.
Attackers are once again focusing on human vulnerability. Using a variety of manipulation methods, they try to convince company employees to transmit confidential data or to grant them (physical) access to sensitive areas. They deliberately take advantage of people’s psychological weaknesses and socialized behavior.
It would be in any company’s best interest to assess its current level of protection against social engineering and take appropriate measures as needed before it is too late.
Table of contents
The Role of Social Engineering – Understanding the Threat Landscape
To understand the importance of social engineering prevention, it is important to first identify who the potential attackers are:
- State intelligence services
- Parastate groups
- Political interest groups
- Criminal organizations
Looking at the list of potential attackers, it is clear that social engineering is a security risk that should not be ignored. This leads to two conclusions for the risk analysis:
- The attackers have considerable time and resources available to achieve their goals.
- The attackers only use these resources because there is a significant payoff if they are successful.
A substantial gain for the attacker is tantamount to a significant loss for the affected company.
Impacts of Social Engineering – The Corporate Perspective
These attackers have different objectives, but they have one thing in common: they are employing social engineering techniques to gain access to sensitive data or to infiltrate a company’s premises or IT network.
State Intelligence Services and Parastate Groups
State intelligence services and parastate groups are known to engage in activities that could be classified as sabotage and espionage. Sabotage actions are typically designed to disrupt production or supply chains. A fire in the production hall, a misconfiguration of machines, or contamination of raw materials are just a few of the numerous possibilities for causing severe damage. Espionage attacks are primarily aimed at obtaining valuable trade secrets and specialized technologies, both of which are intangible core assets of a company. The defense industry, IT companies, and semiconductor manufacturers, as well as their suppliers, are particularly vulnerable. However, numerous other businesses in systemically relevant sectors (banking, energy, transport, food, etc.) are also susceptible.
Political Interest Groups
Political interest groups are currently carrying out rather trivial attacks. However, this does not mean that the scale of the damage is small. For example, blocking the runway of a busy airport for climate protests has a major impact on international air traffic and can quickly cause damages amounting to millions.
Criminal Organizations
Criminal organizations have become a major problem for private companies as well. Two approaches are at the forefront:
- The fraudulent obtaining of access data to bank accounts or the deceptive initiation of bank transactions.
- The extortion of funds after compromising company data. In this process, business-critical data and accounts are encrypted to block a company’s business activities, which can quickly lead to damages in the millions.
However, the extraction of trade secrets such as construction plans, price lists, strategic intentions, reputation-damaging internal information, etc., is also problematic. The extortionists then threaten company management with the sale or publication of this sensitive data and sometimes demand horrendous amounts of money as ransom. Especially in the case of data exfiltration, companies are not protected from damage even by paying the ransom, particularly since there is no guarantee that the perpetrators will not sell or publish the information afterward regardless. In other words: Once the damage is done, it’s done. The risks associated with social engineering are often only insurable at high cost or with significant exclusions. Providing specific legal proof of social engineering damages for insurance purposes is difficult in many cases.
Electronic devices facilitate our work and have become an indispensable part of everyday life. The so-called Internet of Things (IoT) offers many advantages. However, digital interconnectivity also creates a dependency on technology. As a result, IT security has now become crucial for almost every company and institution. A recent example of a Swiss farmer demonstrates that it is no longer just large companies that need to be concerned about their cybersecurity and social engineering. Due to a ransomware compromise, he was unable to access the data provided by the milking robot on his computer, which is essential for dairy farm operations.
How to Recognize a Social Engineering Attack
The most honest answer is probably: often not at all, at least not in time. Phishing is still the easiest type of attack to recognize. Unusual senders and malicious links can usually be clearly identified. When social engineering is happening physically on-site, verification is usually difficult. Attackers always prepare exit strategies to talk their way out if they are discovered. If the social engineer is encountered in an office wing, for example, they might claim to have gotten lost. Perhaps they carry various forged order documents as an alibi: one from the affected company to gain entry, and one from a neighboring company as an exit strategy. They may additionally have fake business cards with contact details of the supposedly commissioned company – where in fact a website exists and the telephone line is operated by an accomplice.
Tracing successful social engineering attacks after the fact is extremely challenging. An attack usually becomes apparent only when extortion letters are received. In cases of sabotage, extensive investigations are necessary to even establish that a deliberate attack has occurred. Professional groups are masterful at obscuring their physical or digital traces. Furthermore, the individual executing the act of sabotage is sometimes merely hired, allowing the true orchestrators to remain undetected.
Recognizing espionage activities is even more difficult. Technological theft can usually not be definitively attributed to social engineering, as the emergence of corresponding products on the market could simply be the result of research and development. Even when there is a suspicion of industrial espionage, it often cannot be substantiated. Without identifying the “leak,” addressing the issue becomes challenging. In such situations, companies are frequently forced to conduct extensive inquiries because it remains unclear whether the information leak is still ongoing.
It is crucial for employees and security personnel of a company to thoroughly investigate any unusual occurrences they notice. A common mistake is to not question the explanations of an intruder closely enough and to escort the individual out of the building without further action. In cases of doubt, the police should always be involved, as they have enhanced investigative capabilities. In any case, a potential social engineering attack—whether physical or a cyberattack—should be promptly and thoroughly investigated to prevent any possible (further) network infiltration or compromise of company data. Our Incident Response Team is available to assist you around the clock. Additionally, our Digital Forensic Service can help you reconstruct a potential attack in a manner that is tenable for insurance and court purposes.
Protection Against Social Engineering: How to Safeguard Your Company
Protection against social engineering is built on three pillars:
- Attentive employees
- Technical measures
- Organizational strategies
Attentive Employees
The most important contribution to a functioning defense mechanism comes from your employees. Everyone can and must help make social engineering attacks impossible by strictly adhering to the relevant company guidelines, such as not granting access to a protected area to any unknown person. Since tailgating and piggybacking remain the most popular methods for gaining access, employees must be vigilant and ensure that no unfamiliar person follows them at the entrance.
It is crucial to enhance employees’ individual sense of responsibility and to eliminate hesitations. Prevention of social engineering must extend beyond the initial point of entry; it is not solely the responsibility of security staff or guards. If unknown individuals are encountered in protected areas, they should be approached, and their authorization must be verified. Alibis should be thoroughly examined, and in cases of doubt, the internal security team should be consulted. The most effective way to improve employee behavior is through awareness campaigns and fostering a supportive corporate culture.
Technical Measures
Supportive technical measures such as mantraps, door-opening alarms, and phishing detection programs can be implemented. However, these solutions are often costly and may not be suitable for all companies. Moreover, their effectiveness frequently depends on additional accompanying measures (e.g., organizational strategies). They can also disrupt operations and negatively impact the company’s profitability.
It is essential for technical precautions to remain practical for employees; otherwise, they may be seen as cumbersome and people will tend to circumvent them. Individuals often bypass processes when they appear too complicated. For instance, if a door is secured too tightly, employees might simply prop it open for smoke breaks or deliveries. If password requirements are overly complex, passwords may be hastily written on a Post-it note and hidden under the keyboard. Such behaviors are common and illustrate the challenges of enforcing security protocols effectively.
Organizational Strategies
Criminal social engineers typically take advantage of unclear responsibilities and poorly coordinated processes. Special attention should be given to visitor management, ensuring that procedures remain clear even during unexpected situations. For example, what should be done if a visitor suddenly complains of feeling unwell during a tour? It is often observed that such individuals are simply sent to the exit, as the presenter continues to attend to the visitor group. Ideally, a quick notification should be made to the security personnel at the entrance, where the individual will eventually check in. However, what have they been doing in the meantime? Leaving a road apple or installing a mini surveillance camera usually takes only a few seconds.
It remains crucial to understand that the areas of prevention mentioned cannot be considered in isolation. Only when all three pillars are robust and, importantly, when the interaction of the various protective measures functions effectively, can your company be considered well-protected against social engineering.
However, determining whether this is truly the case cannot be done solely on paper. Preventive measures must undergo practical testing under realistic conditions to assess their effectiveness. In this regard, the realistic attack simulations conducted by our Red Team have proven to be highly effective.
Conclusion
An increasing number of companies, ranging from small to large, are falling victim to social engineering attacks. For businesses, this not only risks their reputation but also has the potential to result in significant financial losses. A single incident can threaten a company’s very existence.
The business of social engineering attacks is lucrative, which is why attackers are willing to invest significant effort. Consequently, it is essential that the security measures in place are reliable. Given the severe consequences that can result from inadequate IT security measures, it is clear that investments in protection are a sound business decision. The individual protective measures must be precisely coordinated; otherwise, they will be ineffective. We are here to help you make your defense system “waterproof.” Whether it involves social engineering, phishing, physical access assessments, or OSINT assessments, our Red Team specialists perform customized attack simulations tailored to your company to identify and address any remaining security gaps.
