Social Engineering is one of the most prolific entry points for modern cyberattacks. That makes sense: instead of trying to take advantage of a specific set of conditions that permit escalated permissions to resources, a threat actor need only take advantage of human behavioral quirks, many of which exist.
Because they manage a lot of sensitive data as part of their daily operations, Managed Service Providers (MSPs) have a unique risk profile for social engineering attacks. Understanding social engineering, how it works, and why it's so successful is vital to mitigating your company's risk.
Social engineering is a group of confidence schemes that manipulate unsuspecting users into disclosing sensitive information or performing actions that could compromise your system. Those schemes rely on psychological tactics like trust, authority, fear, or urgency to exploit human emotions and behaviors for the desired outcome.
Those schemes are so popular and culturally relevant that there’s even an English term for the perpetrators: con artists.
Those psychological tricks typically prey on the human “fight or flight” mechanism. Humans innately react to external negative stimuli in one of two ways:
A more stressful stimulus will typically trigger a stronger reaction in either direction.
Other types of social engineering take advantage of greed, kindness, laziness, or ignorance. These schemes make up a small proportion of social engineering attacks and aren’t widely used because they require more engagement from the attacker.
Attackers can carry out social engineering campaigns through various modes of communication, including:
Social engineers aim to steal sensitive information, spread malware, or gain unauthorized access to systems to achieve control over large swathes of organizational data, which they can use, ransom, or sell.
Think of it this way — social engineering is a hack that takes advantage of a critical human psychological vulnerability to access large tracks of very sensitive data. Patching that vulnerability is more complicated than simply applying an update, so understanding the situation is essential.
Social Engineering Attacks take many different forms. Here are some of the more prominent modern and historical examples.
Phishing is a form of online attack where a threat actor uses an email to trick a user into completing an action that triggers the attack. These attacks can play out in one of three ways:
Phishing is far and away the most successful entry point for threat actors into the corporate environment and has been for the past two to three years.
Vishing is a form of phishing relying on voice communications. The threat actor uses a call or voicemail to impersonate an employee or otherwise steal credentials or sensitive information to gain further access.
Like BEC, vishing can be used in the MSP and organizational space to impersonate a legitimate business to coax customers into redirecting payments to the threat actor.
Unlike BEC, where organizations have a chance of taking down nefarious domains, there is little recourse for MSPs or organizations to remove phone numbers. Even if there were, setting up and spoofing a new number is rarely worth an attacker's time.
A watering hole attack is a form of social engineering where a malicious actor compromises a website their target frequently uses with malware. They may also infiltrate the site to gather information.
Hackers can carry out this type of attack against an organization or its customers.
Baiting attacks involve leaving a physical item, like a USB flash drive, in a public place to bait someone into picking it up and using it. These attacks can take one of two different forms:
This kind of attack is more commonly mitigated today than five years ago. Its prevalence encouraged many Endpoint Detection and Response (EDR) solutions to implement USB storage blocking as an included feature. Baiting attacks also tend to require geographic proximity to the target to implement a successful attack.
That’s not always the case, though. The Stuxnet virus, which the US and Israeli governments designed to cripple Iran’s nuclear program, is an excellent example of a remote baiting attack. The virus was designed to interact with particular systems under particular conditions and spread via USB storage to overcome air-gapping controls.
Dumpster Diving is another geographically restricted attack requiring a threat actor to be in the same location as their target — or, more accurately, their target’s garbage.
In the organizational space, this relies on employees not shredding critical information or correctly disposing of critical hardware. A threat actor can then gain access to that information by rifling through trash.
Quid Pro Quo is included in this list because of its success at compromising individuals and employees. There are a couple of different ways this is leveraged in an organizational environment:
Quid pro quo attacks can happen on their own but may be combined with other attack methods on this list. For example, phishing and ransomware are very commonly paired effectively to extract large sums of money from an organization.
MSPs are increasingly being targeted by social engineering and other attacks because of economies of scale. A threat actor can attack ten or twenty different targets, or they can attack an MSP that gives access to those targets’ data or environments.
Additionally, as has been demonstrated over the past couple of years, threat actors can attack MSPs to manipulate code bases for products used by thousands or millions of customers. Those modifications provide substantially greater returns on work investment than attacking customers individually.
Mitigating those attacks is also difficult. You can’t patch people. You can, however, provide them the tools, resources, and support needed to address social engineering attacks head-on and intelligently reject them.
Implementing an industry-specific training program is the most effective way to protect against social engineering and other cybersecurity attacks. Components of that program might include:
Training your staff on what they should be looking out for teaches them to be more vigilant in spotting and addressing those threats.
Empowering staff to “deny by default” is also critical. The power of saying no in situations where there could be a threat may mean the difference between millions of dollars of damage and losses that could result from a compromise. The flip side of that is addressing a false positive. If someone rejects a legitimate customer request, that could frustrate customers and turn them away from the services being offered.
There’s a precise balance: how much is too much in being too permissive or too restrictive? The answer to that depends on the environment and situation an organization finds itself in. Many organizations fail to adequately quantify risks and make assumptions around the incidence of risk. Where there are notable social engineering attacks in the news daily, it seems like a lot of organizations are missing the mark.
Staff also need a clear path of escalation for threats. A tricky, opaque reporting process discourages people from speaking up — meaning you'll be less protected overall. Conversely, the more accessible and specific the ability to report threats, the more threats they'll report.
Administratively, staff shouldn’t be reprimanded for reporting threats in the normal course of business. Doing so will have a chilling effect on threat reporting. Again, where the consequences of that can be millions of dollars in damage and losses, there’s a risk balance to be struck, which is very organizationally dependent.
The main reason why social engineering attacks are so dangerous is that they target an organization's most vulnerable assets — their people. Malicious actors use manipulative tactics to gain access to an organization's environment to capture more substantial amounts of data or money.
Many manifestations of social engineering attacks are also unpredictable, making them more difficult to spot. As an MSP, you need to up your security defenses to protect your organization's data as well as your clients'. Investing in training is an excellent way to do it.
Social engineering tactics rely on basic principles of human psychology to work, but you can teach your employees to recognize these schemes with an effective security awareness training program. We designed our comprehensive training platform specifically for MSPs, with rich analytics and reporting features and multiple levels of realistic phishing simulations that prepare your staff to handle real-world attacks.
Start your free trial today to see how our training solution can strengthen your MSP's security posture.