GetApp offers objective, independent research and verified user reviews. We may earn a referral fee when you visit a vendor through our links. 

Security

Social Engineering Techniques that Hack Your Employees

Sep 14, 2023

Only 34% of companies provide social engineering training. That means too many employees are left to fend for themselves.

AvatarImg
Zach CapersSr Specialist Analyst
Social Engineering Techniques that Hack Your Employees

According to GetApp’s 2023 data security survey*, only 34 percent of companies provide social engineering awareness training for their employees. That means nearly two in three businesses could be leaving their employees to fend for themselves against masters of manipulation. Companies must train employees on how to recognize social engineering techniques that are designed to exploit human nature for access to sensitive company data.

GA_092023_SocialEngineeringTechniquesthatHackYourEmployees-socialengineering

Social engineers typically investigate an individual or organization before carrying out attacks such as spear phishing or business email compromise (BEC). This includes conducting background research using social media, corporate websites, Google maps, and public records. Armed with this knowledge, scammers are able to conduct their schemes inconspicuously, put employees at ease, and even build a rapport with their targets.

This is often easier than you might think. For example, Venmo is a peer-to-peer payment platform with a social networking element that allows you to see other people’s activity. Venmo transactions are made public by default so a significant percentage of the company’s 75+ million users are broadcasting payment information that gives insight into relationships, interests, and routines. This is information that can easily be used to manipulate or impersonate a user.

Once they have the background information they need, social engineers target:

  • Network credentials (e.g., username, password)

  • Network information (e.g., IP info, network topology)

  • Employee data

  • Payroll data

  • Company organizational charts

  • Proprietary data

  • Customer data

  • Tax forms

  • Building access

Social engineering techniques exploit human nature

Most people are trusting and willing to help others: It’s two of the primary human characteristics that have allowed us to build a successful society. But some see generous human nature as something to cynically exploit for access to information and profit. Several elements of human nature are targeted by social engineers, including:

Inclination to help others

People generally act to help others altruistically and are not usually suspicious of others’ motives. Recognizing this, social engineers often prompt victims to act out of an unselfish desire to be helpful. This is often positioned as needing help verifying information or assistance solving a problem for a client.

Avoidance of conflict

People commonly act out of a desire to avoid conflict, even when they’re unsure. For example, when accessing a secure building, it’s common to allow someone to piggyback without authentication, whether they’re recognized or not. Rarely will someone stop the person, explain their valid concerns about building security, and refuse entry.

Willingness to follow direction

People are generally conditioned to comply with requests or commands from superiors and authorities without asking questions. For this reason, social engineers sometimes pose as a company executive or as a government official. This is the basis for W-2 schemes whereby a fraudster poses as a company executive or IRS official demanding tax documents.

Pretexting: a common social engineering technique

Pretexting is the practice of fabricating a scenario or lying about one’s identity to deceive someone into providing privileged information. Pretexting is a social engineering technique commonly employed through email, over the phone, or in person. If a criminal can convince an employee that they are calling from technical support, the employee might provide their network credentials without thinking twice.

Even laws designed specifically to protect privacy and improve transparency can be exploited by social engineering techniques such as pretexting. At a Black Hat security conference, researcher James Pavur revealed the ease with which he exploited GDPR’s right of access provision. Under the auspices of the European privacy law, Pavur used various social engineering techniques to obtain his fiancee’s data from numerous websites without providing proper identification.

Provide data security training on a regular basis

It’s easy to place blame on employees who fall prey to social engineering techniques, but the fault usually lies with underdeveloped security policies and lack of regular training.

GetApp’s data security survey finds that 21% of companies do not provide security awareness training on a regular basis, including 6% that report never receiving training. Much like malware and other security threats, social engineering techniques are continually evolving and becoming more sophisticated. Organizations must provide regular security training and ensure that it’s up-to-date.

Prior to conducting social engineering awareness training, you should send out a survey asking about employee security practices. This can include questions such as “How often do you reuse passwords?” with answer choices such as “never, occasionally, often, and always.” Incidentally, 58% of employees reuse passwords according to our data security survey. Gaps in security hygiene can be used to inform training classes and improve security policies. Phishing tests can also be used to gauge employee susceptibility to social engineering techniques.

But training isn’t enough. Once they’re aware of the methods used for manipulation, employees must be empowered to use their best judgment and trust their instincts. This doesn’t mean your staff needs to be paranoid, but they should have a security mindset and view themselves as guardians of the company’s data.

If yours is one of the overwhelming number of businesses that don’t provide social engineering awareness training, consider developing a course tailored to your specific risks. A variety of training and learning management system software is available that is as effective as it is easy to use.

To learn more about the impacts of social engineering on your company, read our report: How to Prevent Business Email Compromise and Spear Phishing Attacks

Methodology

*GetApp’s 2023 Data Security Survey was conducted in August 2023 among 872 respondents to learn more about data security practices at U.S. businesses. All respondents were screened for full-time employment at U.S. businesses. 362 respondents identified as IT management professionals and 271 identified as IT security managers.

avatar
About the author

Zach Capers

Sr Specialist Analyst
Zach Capers is a senior analyst at GetApp, covering IT security, data privacy, and emerging technology trends. A former internal investigator for a Fortune 50 company and researcher for the Association of Certified Fraud Examiners (ACFE), his work has been featured in publications such as Forbes, Business Insider, and Journal of Accountancy.
Visit author's page