Social engineering attacks can seem unpredictable and challenging to defend against. However, with the right approach, organizations can better protect themselves.
Rachel Tobac, our Security Masterminds podcast guest in February 2024, is a leading social engineer and CEO of Social Proof Security. She shares the most common mistake made by companies — continuing to give advice for problems that have stuck around since the early 2000s.
Why do companies continue to struggle with defending against social engineering attacks? Tobac says many organizations need to mature more in their security posture. Outdated advice, such as "just don't click on links," falls short in today’s environment, which often requires downloading and accessing PDFs or clicking Zoom links. Moreover, this advice does not reflect the reality that reviewing links or documents is a core job function for many roles. Instead of blanket restrictions, modern threats demand more nuanced defenses that enable identity and validity verification before carrying out requested actions.
Using AI to Mimic Targets
AI tools now allow attackers to accurately recreate a person’s voice and likeness, presenting new challenges in the field of social engineering. As criminals leverage technology to impersonate targets, AI affords them even more plausible deniability. Attackers can create fake audio, video, images and text, and dismiss actual footage as "deepfakes," which can undermine trust in communications for both personal and professional relationships.
However, Tobac advises that the same identity verification tactics still thwart these advanced attacks. Employees can reliably detect spoofing attempts by requiring a secondary confirmation through other communication channels before proceeding. Tobac says that when she tests clients' new defense protocols by attempting to penetrate them, these improved safeguards routinely catch her.
While AI expands the threats organizations face, proven principles of authentication and authorization still prevent exploitation. Using out-of-band or secondary communication methods serves as a valuable strategy for verifying a user. Avoid using the same medium for verification. Text messages, phone calls, or other social media messaging serves as an excellent method to confirm someone’s identity.
Training Employees with Real Examples
Improved methods must be developed to authenticate identities and detect AI impersonation. As the ability to falsify content through AI becomes increasingly prevalent, Tobac has found success in engaging employees with the formats they are already familiar with. This includes live hacking demonstrations to showcase real-time manipulation tactics, supplemented by entertaining music videos that make a lasting impression on viewers. Providing tangible examples of what fraudulent contact looks and sounds like makes training more practical and enables organizations to target the highest-risk threat vectors emerging in their industry.
Learn From Both Successes and Failures
As a penetration tester, Tobac has learned to exercise patience when working with clients to choose appropriate pretexts and targets for testing. But failures, thanks to psychology, hold valuable lessons as well. Negative experiences tend to resonate more, with individuals reflecting more on awkward moments than successful ones. Adjustments should be made based on feedback, particularly if a test does not execute well due to internal layoffs or fails to catch attackers, and those methods should be reworked.
Verify, Do Not Blindly Trust
Regardless of the attack method — be it email, phone, text or social media — Tobac's core advice is always to verify before carrying out any requested actions. Call the number on the bank card rather than relying on caller ID. Politely ask more questions if something seems unusual.
The Importance of Improvisation Skills
Even with examples and protocols, defending against social engineering involves dynamic situations with unpredictable human conversations. Tobac credits her improvisation skills, honed during her theater performances, with providing the crucial abilities to think on her feet and smoothly adapt when targets introduce new variables. To develop the same quick wit and mental flexibility that social engineers wield, security teams can practice unscripted responses through role-playing different attack scenarios.
While threats will continue to advance, conscientiousness about identity, integrity and the ability to adapt efficiently now serve as foundational protections against even sophisticated social engineering attacks. Organizations can stay ahead with a collaborative mindset, a security culture skillset and a robust, frequently updated security awareness training program.
Check out the episode with Rachel Tobac available on your favorite podcasting format under Security Masterminds or via our Security Masterminds Podcast website!
Want to cut & paste the link in your own browser?: https://www.buzzsprout.com/1892704/14627860
