5 Essential Tips to Prevent Social Engineering

The modern take on social engineering 

Social engineering, unlike traditional hacking that targets technical vulnerabilities, manipulates human psychology. Through deception, coercion, or manipulation, a threat actor pressures a victim to give up valuable data like login credentials, one-time passwords (OTPs), or sensitive internal information. 

Attackers do this under the guise of legitimacy - taking on the persona of an executive or member of the IT team. And by targeting employees on their mobile devices, attackers can use a vicious combination of SMS phishing (smishing) and voice phishing (vishing) over any number of apps that result in high efficacy of these attacks. Once they have a legitimate user’s credentials, they can log in from their own computer and freely move around your SaaS apps until they locate sensitive data, copy and encrypt it, then demand payment.

And while the underlying principles of social engineering are nothing new, threat actors are constantly coming up with new tactics to increase their chances of a successful attack. Nowadays, all an attacker needs to do is scrape LinkedIn for employee names and titles, buy one license of a sales prospecting tool to get their phone number, and feed a Generative AI tool with the information they find to create a highly convincing smishing text. What’s more is that they can use AI-based voice conversion tools to impersonate someone when they call the target individual.  

At their core, these more modern social engineering tactics exploit human behavior. We are conditioned to interact with anything that pops up on our mobile devices, which makes the average response time to an SMS about 90 seconds versus about 90 minutes for an email. Combine that with a high-urgency message that’s allegedly coming from your CEO or an alert that someone tried to log into your MFA tool from a different location, and it makes sense why attackers target employees on mobile so aggressively. 

Vital strategies to combat social engineering threats

In order to protect against social engineering, there are a number of proactive and reactive policies you can put in place. It’s important to operate under the assumption that some of these attacks will likely be successful, so implementing a multi-layered strategy is the best way to make sure you’re protecting not just the front line, but subsequent points of entry after that. 

Give your security team the visibility it needs

Odds are your team is already using a security incident and report management (SIEM), security orchestration and response (SOAR), or traditional endpoint detection and response (EDR/XDR) solution to understand risk across employee laptops, desktops, and even IoT devices. With mobile devices being so heavily targeted, it’s time to treat them with the same criticality as those other endpoints and feed real-time threat data from mobile into your existing tools. 

By extending EDR to mobile, your security team can not only identify and detect social engineering attacks but also leverage intelligence from the mobile devices across your organization to inform potential threats across other endpoints and devices.

Build a culture of education and reporting

Teach your employees about how convincing social engineering attacks have become and implement a culture of skepticism when it comes to communications that involve usernames, passwords, and MFA tokens. With GenAI, many of the red flags that employees used to know such as misspelled words or poor grammar are no longer present.  

Also, if an employee fends off a social engineering attack but doesn’t tell anyone about it, they’ve only done half their job. Encourage your employees to screenshot potential inbound attacks and make it easy for them to share those messages to a channel or email address. The lower the friction, the more likely employees are to actually report these incidents. 

One way to help show how effective these attacks can be and drive home this mindset is to conduct SMS phishing tests on your employees. Much like traditional email phishing tests, these are a safe way to prove how easy it is to fall for a socially engineered smishing text.

Keep up with the latest threat intelligence

Social engineering can be used in a wide variety of ways, and understanding the latest trends in how threat actors are deploying this tactic is a critical piece of building proactive protections. Keeping abreast of how everyone from nation-state actors to domestic cybercriminals is leveraging social engineering can greatly increase your chances of blocking attacks before they have a chance to get started.  

Implement strong password policies and two-factor authentication

Employees should change their passwords for both their work accounts and personal accounts frequently. They should also close accounts they no longer use, especially if the passwords associated with them are used anywhere else. New passwords should be at least 16 characters long and contain lower-case letters, capital letters, numbers, and symbols. You could also employ a password manager, which can automatically generate complex passwords and store them securely.

Two-factor authentication is also an excellent first line of defense if a threat actor gains access to an employee’s credentials. Authentication applications are more secure than SMS codes, but either one is much better than nothing.

Regularly update and patch systems

Keeping your electronic systems up to date will not, in and of itself, prevent social engineering attacks. However, social engineering is often a first volley, followed by measures like vulnerability exploitation that lead to deeper access and even ransomware. 

Ensure that your organization’s software is patched and your hardware’s firmware is up to date. Set both of them to update automatically when new patches are available. If a program or device is deprecated, replace it ASAP. Once threat actors discover a vulnerability in an older system, it’s only a matter of time until they exploit it.

Mitigating the social engineering threat

Threat actors rely on social engineering to trick employees into sharing sensitive information such as login credentials. To understand how broad the threat is across the mobile ecosystem, read the Lookout Mobile Threat Landscape Report - 2024 in Review. 

Threat actors have refined their social engineering methods and become more sophisticated — but with the right tools at your disposal, you can develop even more effective countermeasures.