Social Engineering 101: What It Is & How to Safeguard Your Organization
An attack in action
Logging into work on a typical day, John, an employee at Acme Corp. receives an email from the IT department. The email informs John that the company suffered a security breach, and it is essential for all employees to update their passwords immediately. John clicks the link provided, which takes him to a website that looks exactly like his company’s login page. A few days later, John finds himself locked out of his account, and quickly learns that the password reset link he clicked earlier did not come from his company.
John is a diligent employee. He took the steps needed to keep his account safe by following the directions from his IT team. While there might have been some signs the email was a forgery from an outside attacker, there were no obvious red flags. The email was clear in its logic and the login page was identical to the one he uses regularly.
But as it turns out, John was a victim of a phishing scam, a type of social engineering attack where the cybercriminal impersonated John’s IT department to gain his trust and trick him into revealing his login credentials. The login page John visited was a convincing duplicate of the company's real login page, but in reality, it was nothing more than a trap set by the attacker to collect credentials.
What is social engineering?
Social engineering is often used to obtain access or information through a technique called phishing. Typically, an attacker will impersonate someone the victim knows and convey a sense of urgency and importance in their communications to encourage the victim to take action. Some common phishing attacks used for social engineering include:
Phishing: An attacker sends fraudulent emails or texts that appear to be from trusted sources to get individuals to reveal personal information. These are often generic in nature, and use bland pressure tactics, such as the data breach warning John experienced.
Spear Phishing: A more targeted form of phishing where specific individuals or organizations are the intended victim. In John’s case, a spear phishing attack might have referenced a coworker, his employee number, or a project he was working on.
Whaling: A specific type of phishing attack that targets high-level executives or important individuals within a company.
Vishing: The telephone version of phishing, where the attacker calls the victim and pretends to be a legitimate organization asking for sensitive information.
Smishing: This is the SMS version of phishing where the attacker sends fraudulent messages via text to trick the victim into providing sensitive information.
Social engineering enables attackers to victimize trusted users and then use the information obtained (often compromised credentials) to do damage to an organization. Cisco Talos found that the use of valid accounts is the most common technique for an attacker to gain initial access to an organization, making up nearly 40% of security engagements. So clearly, John isn’t alone. Every day criminals send millions of phishing emails. It’s a numbers game to them, and they only need one or two people to fall for their scam to be successful.
How Duo can help
As attackers get more sophisticated, it is important to improve your organization’s defenses to ensure only trusted users gain access to sensitive resources. Duo can help your organization protect its users and set up roadblocks to get in the way of attackers, even when they send convincing emails meant to deceive your employees.
Ensure access from devices you trust: Reinforce your users by combining strong authentication requirements with device trust policies. Duo’s Trusted Endpoints checks if the device is managed or registered and if it should be trusted. If it is, access is granted. If it’s not, the user is stopped before they can even attempt to log in. This capability is available in all Duo editions.
Remove passwords from the equation: Duo’s Passwordless solution, powered by WebAuthn technology, requires a biometric at login, rather than a password. The biometric on the trusted user’s device unlocks a private key that is matched to a public key held by the application, enabling the user to log in. This makes traditional phishing attacks in which bad actors steal passwords obsolete.
Evaluate login attempts for context and risk: In the event of an attack Duo’s Risk-Based Authentication can step up the authentication to a Verified Duo Push. This requires the user to enter a code from the access device, like a laptop, into the Duo Mobile application, which a trusted user cannot do if they are not logging in. This is available in Duo’s Advantage and Premier tiers.
To learn more, sign up for a free trial of Duo today.