How to outsmart cyber criminals in social engineering attacks

As bad actors on the global stage find ways to exploit vulnerabilities and create chaos through coordinated corporate hacks and crypto theft, an oldie-but-goodie technique remains prevalent: social engineering.

Social engineering is usually cost-effective and oftentimes, some IT pros say, a lot easier than “direct technical hacking.” Take North Korea, for example, a nation that has used social engineering and phishing attacks to steal billions in virtual currency over the years.

According to experts, there are a few necessary but not incredibly difficult ways to set up a company’s defenses. It takes work and coordination across multiple teams, but, as the saying goes, a good defense is the best offense.

Adam Marrè, the CISO at cybersecurity firm Arctic Wolf and a former FBI cyber special agent, said staying protected from social engineering comes down to two key aspects: technical controls and awareness.

​

By “technical controls,” he means everything from setting up multi-factor authentication and strong passwords to using a password manager and even establishing a device trust, in which a person is only able to log in using specific devices.

“On the identity side, also, things like email filters and other types of traffic filters can help try to catch some of this type of behavior,” he told IT Brew.

He believes awareness and education are also necessary because the online world, as we know, isn’t a safe space.

“I wish it was a place where we could trust everyone, but we cannot,” he said. “Therefore, you have to behave in a way, just like you would in the real world, walking around the streets of New York late at night, you have to consider what you’re doing online.”

Mike Mestrovich—the former acting CISO of the CIA and current CISO at data-management company Rubrik—advises clients and companies to give their emails a second look, noting that people tend to fall for social engineering schemes out of curiosity.

“When it comes to email, it’s important to scan attachments, look for fraudulent emails based on header info, provide a safe area to open embedded links, force multi-factor authentication, and provide verifiable ways for help desk personnel to validate the caller and then continuous user education,” he wrote in an email.

Bad actors, he said, “play into things that may seem very normal” for people, luring victims in by telling them to click on a link to pay a bill—or offering up a spreadsheet that the user supposedly requested.

After using phishing and social engineering techniques to steal crypto, hackers will sometimes stealthily move money and let it sit for years at a time before moving it again, storing it in cold storage, or a crypto cold wallet, said Erin Plante, VP of investigations at Chainalysis.

“And you’ll get an alert that money that was stolen back in 2018 has suddenly started moving,” she said. “That happens often because they’ve been stealing money for a long time.”

For companies and clients looking to guard themselves against these and other attacks, Marrè advises users to create “rules” when they’re in a calm state of mind and before the crisis arises. That may mean taking extra caution and avoiding email links altogether, or calling up coworkers for verification when receiving a Google Doc link out of the blue.

“As long as we are going to be doing important things online, running our businesses, having valuable conversations and interactions with others…there’s always going to be a space in which social engineers can come and try to trick people and get them to do things that they shouldn’t.”