This post has been modified to reflect new information since its original publication.
Corporate social engineering is one of the most difficult IT security threats to prevent because it targets human error instead of system weaknesses. No matter how strong your company’s cybersecurity defenses are, a skilled social engineer can bypass them if he or she can figure out how to trick someone on the inside into sharing access.
For this reason, the best defense against spear-phishing and other targeted social engineering techniques is to make your users less appealing as marks. This is done through stringent privacy protection and personal data scrubbing, described in more detail below.
But why does this work? Because for any given social engineering ploy, there are countless valuable leads that hackers could target. If your company’s users look like too much effort to engineer, attackers will seek out low-hanging fruit elsewhere.
As such, understanding what makes for an appealing social engineering mark is the first step in building an effective defense for your company.
The anatomy of a social engineering mark
As awareness of—and defenses against—generic phishing attacks have grown, social engineers are increasingly turning to more specific targeting that relies on personalized scams heavy on context and corroborating details. Attractive marks for these attacks have the following characteristics:
- Not exceptionally tech savvy
- Heavy tech users
- Personal and professional information available on the public Internet
- Access to financial resources
- Access to IT systems
Let’s examine each of these individually:
Tech savviness: Social engineers don’t want to target users who are likely to be aware of the latest exploits or techniques, have strong passwords, and know to avoid risky online behavior. It’s much better to target someone who doesn’t know much about social engineering—or even better, IT in general.
Heavy users: The ideal mark is someone who uses IT systems frequently, and preferably someone who accesses multiple types of IT systems through a range of devices. This profile increases the potential vectors for attack.
Information available: In order for a social engineering attack to succeed, it needs to be convincing and personalized. It’s therefore important for the attacker to be able to locate contextual information about the mark online. This is often done by scouring social media, people-search sites, and corporate or personal websites associated with the target.
Financial resources: Given the effort involved in these types of attacks, hackers want to target high-value individuals who are in a position to access large quantities of money. Many recent corporate spear-phishing attacks focused on wire fraud have led to losses in the six- or seven-figure range per wire transfer.
System access: Clearly, there’s little point in a social engineer targeting users who have locked-down permissions and lack the ability to access key systems. Whether the intent is to install ransomware, conduct corporate espionage, or otherwise compromise a system, the attacker needs to find a target who has deep enough access to be useful.
Who do social engineers attack?
Given the profile above, it should come as no surprise that executives are among the top targets for spear-phishing and other highly personalized social engineering ploys. Consider a typical executive within the frame of our profile above:
Tech savviness: Some executives are more tech savvy than others, but generally speaking they move fast, have their hands on a lot of projects, and don’t have the time to stay up to date on all the latest social engineering trends or IT developments.
Heavy users: Executives receive a lot of email and other digital communications, frequently exchange documents with people within and outside of the company, and are likely to access IT systems remotely through a range of devices while traveling for work.
Information available: Since executives are the public face of the company, there is likely to be a good quantity of professional information about them online—or failing that, company information that can be reasonably associated with them. With this corporate backdrop as a starting point, it’s not hard to scan social media and people-search sites to find personal information that can be used to fill in the blanks and personalize an attack.
Financial resources: Executives often have access to the company’s finances or large expense budgets that aren’t subject to preclearance, making it worth the effort to try to engineer them.
System access: Given the broad scope of their roles, many executives have high-level access to multiple IT systems. It is also not uncommon for executives to extract concessions from their IT administrators on security precautions that everyone else in the company is required to follow, making their systems less secure.
Protecting against executive social engineering
In order to prevent social engineering of your company’s executives, you need to remove one or more of the elements that make your executives appealing marks. This severs the information chain, making it much more difficult to develop a convincing social engineering ploy. As such, most hackers will move on to other, easier targets, rather than wasting time on a project that might very well fail to produce results.
So which social engineering variables make for the best candidates?
The easiest to effect is the amount of personal information available online. Most of the other factors cannot be easily altered in any meaningful way (with the exception of tech savviness, although compliance with security training initiatives can be an issue).
You will not be able to get your executives to stop using IT systems or otherwise curtail the access that they need to do their jobs. You will also not be able to obscure information about the company that might be used in an attack.
However, you can often prevent third-party people-search sites from offering rich profiles of your executives’ personal data drawn from public records and marketing databases. You can also audit your executives’ social media accounts (and those of their families) for any publicly accessible information that might be compromising.
These are, in fact, two of the main protections provided by ReputationDefender’s ExecutivePrivacy, our suite of online privacy services designed to keep your key personnel safe, both online and offline. In this era of executive spear-phishing, ExecutivePrivacy has further evolved into a front-line defense against corporate social engineering.
Yet regardless of how you go about obscuring your executives’ personal information, online privacy protection has fast become an essential component to any successful cybersecurity strategy. To learn more about how to make your executives less appealing to social engineers, set up a consultation with one of our privacy experts.