Social Engineering Risks for MSPs: The Complete Guide
Social Engineering is one of the most prolific entry points for modern cyberattacks. That makes sense: instead of trying to take advantage of a specific set of conditions that permit escalated permissions to resources, a threat actor need only take advantage of human behavioral quirks, many of which exist.
Because they manage a lot of sensitive data as part of their daily operations, Managed Service Providers (MSPs) have a unique risk profile for social engineering attacks. Understanding social engineering, how it works, and why it's so successful is vital to mitigating your company's risk.
What Is Social Engineering?
Social engineering is a group of confidence schemes that manipulate unsuspecting users into disclosing sensitive information or performing actions that could compromise your system. Those schemes rely on psychological tactics like trust, authority, fear, or urgency to exploit human emotions and behaviors for the desired outcome.
Those schemes are so popular and culturally relevant that there’s even an English term for the perpetrators: con artists.
Those psychological tricks typically prey on the human “fight or flight” mechanism. Humans innately react to external negative stimuli in one of two ways:
- Fight: The individual directly confronts the negative stimuli to eliminate it. In the corporate context, this response might look like a “defy by default” mentality or a decision to follow rules regarding passwords, links, and building entries.
- Flight: The individual escapes or passively addresses the negative stimuli to avoid dealing with it. A flight response in a business setting may take the form of an “allow by default" mindset, where they take a more flexible approach to providing access in order to avoid a stressful situation.
A more stressful stimulus will typically trigger a stronger reaction in either direction.
Other types of social engineering take advantage of greed, kindness, laziness, or ignorance. These schemes make up a small proportion of social engineering attacks and aren’t widely used because they require more engagement from the attacker.
Attackers can carry out social engineering campaigns through various modes of communication, including:
- Phone calls
- Emails
- Texts
- In-person interactions
- Online advertisements
Social engineers aim to steal sensitive information, spread malware, or gain unauthorized access to systems to achieve control over large swathes of organizational data, which they can use, ransom, or sell.
Think of it this way — social engineering is a hack that takes advantage of a critical human psychological vulnerability to access large tracks of very sensitive data. Patching that vulnerability is more complicated than simply applying an update, so understanding the situation is essential.
Types of Social Engineering Attacks
Social Engineering Attacks take many different forms. Here are some of the more prominent modern and historical examples.
Phishing
Phishing is a form of online attack where a threat actor uses an email to trick a user into completing an action that triggers the attack. These attacks can play out in one of three ways:
- File-based attacks: The victim opens an attached file — usually a common file type like a spreadsheet or PDF — that automatically downloads malware to their computer. The malware then provides the threat actor access to that computer and the corporate network.
- Link-based attacks: The victim clicks on a link that redirects them to a seemingly legitimate website that prompts them to enter their credentials. When they attempt to sign in, the threat actor gains access to the corporate network through their account.
- Information redirection attacks: The threat actor spoofs or successfully gains access to an MSP's email address and redirects sensitive data, invoices, and payments from the MSP to themselves. These attacks have become more common in recent years due to the alarming rise in Business Email Compromise (BEC) attacks.
Phishing is far and away the most successful entry point for threat actors into the corporate environment and has been for the past two to three years.
Vishing
Vishing is a form of phishing relying on voice communications. The threat actor uses a call or voicemail to impersonate an employee or otherwise steal credentials or sensitive information to gain further access.
Like BEC, vishing can be used in the MSP and organizational space to impersonate a legitimate business to coax customers into redirecting payments to the threat actor.
Unlike BEC, where organizations have a chance of taking down nefarious domains, there is little recourse for MSPs or organizations to remove phone numbers. Even if there were, setting up and spoofing a new number is rarely worth an attacker's time.
Watering Hole
A watering hole attack is a form of social engineering where a malicious actor compromises a website their target frequently uses with malware. They may also infiltrate the site to gather information.
Hackers can carry out this type of attack against an organization or its customers.
Baiting
Baiting attacks involve leaving a physical item, like a USB flash drive, in a public place to bait someone into picking it up and using it. These attacks can take one of two different forms:
- Targeting anyone: This form of attack is low-cost and low-effort, making it easy for a threat actor to leave a device in any public place for anyone to pick up out of curiosity, interest in repurposing the device, or the desire to return it to its rightful owner. When the victim plugs it in, the device deploys malware that gives the threat actor access to the computer.
- Targeting an organization: Rather than leaving the device in a public place, the threat actor places it where organizational personnel are most likely to find it, such as a sidewalk outside the corporate office or on the lobby floor.
This kind of attack is more commonly mitigated today than five years ago. Its prevalence encouraged many Endpoint Detection and Response (EDR) solutions to implement USB storage blocking as an included feature. Baiting attacks also tend to require geographic proximity to the target to implement a successful attack.
That’s not always the case, though. The Stuxnet virus, which the US and Israeli governments designed to cripple Iran’s nuclear program, is an excellent example of a remote baiting attack. The virus was designed to interact with particular systems under particular conditions and spread via USB storage to overcome air-gapping controls.
Dumpster Diving
Dumpster Diving is another geographically restricted attack requiring a threat actor to be in the same location as their target — or, more accurately, their target’s garbage.
In the organizational space, this relies on employees not shredding critical information or correctly disposing of critical hardware. A threat actor can then gain access to that information by rifling through trash.
Quid Pro Quo
Quid Pro Quo is included in this list because of its success at compromising individuals and employees. There are a couple of different ways this is leveraged in an organizational environment:
- Ransomware: The threat actor uses malware to steal or encrypt your organization's data and demands payment to decrypt it. Because MSPs handle data for many different customers, they are prime targets for ransomware attacks.
- Blackmail: The threat actor gains access to damning information about someone who either has privileged credentials or an elevated position within the organization and threatens to disclose that information unless the victim pays up.
- Payment schemes: The threat actor procures hundreds of dollars of gift cards and sends the codes to a corporate executive as a favor. They might ask for a small payment at this time as part of a scheme to secure a much larger amount later.
Quid pro quo attacks can happen on their own but may be combined with other attack methods on this list. For example, phishing and ransomware are very commonly paired effectively to extract large sums of money from an organization.
Why MSPs Are Popular Targets
MSPs are increasingly being targeted by social engineering and other attacks because of economies of scale. A threat actor can attack ten or twenty different targets, or they can attack an MSP that gives access to those targets’ data or environments.
Additionally, as has been demonstrated over the past couple of years, threat actors can attack MSPs to manipulate code bases for products used by thousands or millions of customers. Those modifications provide substantially greater returns on work investment than attacking customers individually.
Mitigating those attacks is also difficult. You can’t patch people. You can, however, provide them the tools, resources, and support needed to address social engineering attacks head-on and intelligently reject them.
How to Stop Social Engineering Attacks
Implementing an industry-specific training program is the most effective way to protect against social engineering and other cybersecurity attacks. Components of that program might include:
- Phishing training
- Security training
- Threat training
- Incident and disaster recovery tabletop exercises
Training your staff on what they should be looking out for teaches them to be more vigilant in spotting and addressing those threats.
Teaching a Deny by Default Mindset
Empowering staff to “deny by default” is also critical. The power of saying no in situations where there could be a threat may mean the difference between millions of dollars of damage and losses that could result from a compromise. The flip side of that is addressing a false positive. If someone rejects a legitimate customer request, that could frustrate customers and turn them away from the services being offered.
There’s a precise balance: how much is too much in being too permissive or too restrictive? The answer to that depends on the environment and situation an organization finds itself in. Many organizations fail to adequately quantify risks and make assumptions around the incidence of risk. Where there are notable social engineering attacks in the news daily, it seems like a lot of organizations are missing the mark.
Staff also need a clear path of escalation for threats. A tricky, opaque reporting process discourages people from speaking up — meaning you'll be less protected overall. Conversely, the more accessible and specific the ability to report threats, the more threats they'll report.
Administratively, staff shouldn’t be reprimanded for reporting threats in the normal course of business. Doing so will have a chilling effect on threat reporting. Again, where the consequences of that can be millions of dollars in damage and losses, there’s a risk balance to be struck, which is very organizationally dependent.
Final Thoughts
The main reason why social engineering attacks are so dangerous is that they target an organization's most vulnerable assets — their people. Malicious actors use manipulative tactics to gain access to an organization's environment to capture more substantial amounts of data or money.
Many manifestations of social engineering attacks are also unpredictable, making them more difficult to spot. As an MSP, you need to up your security defenses to protect your organization's data as well as your clients'. Investing in training is an excellent way to do it.
Mitigate Your Social Engineering Risk With Phin Security
Social engineering tactics rely on basic principles of human psychology to work, but you can teach your employees to recognize these schemes with an effective security awareness training program. We designed our comprehensive training platform specifically for MSPs, with rich analytics and reporting features and multiple levels of realistic phishing simulations that prepare your staff to handle real-world attacks.
Start your free trial today to see how our training solution can strengthen your MSP's security posture.
Leave a comment: