• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

What is Social Engineering? Examples and Prevention Tips

07/20/2020

Cybercriminals never stop trying to gain unauthorized access to data that they can sell on the Dark Web. Personally identifiable information such as names, addresses, dates of birth, and social security numbers are only the tip of the proverbial iceberg. Understanding the way that cybercriminals leverage human emotion to successfully steal data and the types of processes and technologies that organizations can use to prevent data breaches arising from these attacks is the only way to maintain financial stability in an increasingly digital world.

What is social engineering?

Social engineering is the process cybercriminals use to emotionally manipulate people into providing personal information. While imagining cyber attackers as socially awkward men in dark rooms wearing black hoodies may be a popular culture stereotype, the reality is that many of them are highly skilled at understanding end users’ psychological weaknesses. A successful social engineering attack needs to combine elements of both psychology and humanity.

How malicious actors leverage emotion for success

The most effective tool used in a social engineering attack is the end user’s emotions which is why training modules often fail. By evoking a strong emotion, such as fear, cybercriminals overwhelm the end-user and send them into a “fight or flight” mode. Once in a state of emotional and informational overload, the end user is psychologically overwhelmed and responds without thinking.

All social engineering attacks have a similar pattern:

  • Grab a person’s attention
  • Provide information that overwhelms the person
  • Appeal to a user’s primary emotions, most often fear
  • Offer directions that help prevent an outcome

Almost every successful social engineering attack uses these four elements. For example, consider the following “email”:

Jane –

I need to talk about that upcoming presentation right away. Please text me at 555-555-5555.

– Boss

If “Jane” is like most people, she gets a “snippet” of emails in her inbox view. Most likely, seeing

boss’s name at the bottom of the email and the “I need to talk” will create an immediacy that leaves her sending off the information requested. Problematically, the immediacy and request overload her senses which makes her less likely to go through the processes outlined in the social engineering training she passed.

What is phishing?

Security professionals define phishing as a fraudulent attempt, generally via email, to steal information by posing as someone that seems reputable. Mostly gone are the days where a foreign prince promises wealth if the reader lets him wire money to an account. Modern phishing attacks occur across all digital platforms and hide malware in fake websites.

Email phishing

Email phishing is when a cybercriminal sends an email that either scares the recipient or sounds too good to be true.

One way that malicious actors attempt to exfiltrate information is by sending an email implying that an account password needs a reset. The cyber attacker creates a fake website, embeds the link within the email’s text to hide it, and requests that the user click on the link to reset the password. When victims click that link, worried that the account has already been breached, the attacker either gains the password via the “change password” portal, installs malware on the computer, or both.

Social media phishing

Social media phishing works just like email phishing except instead of an email, the cyber criminal sends a private message to a social media account. The private message appears to be from someone the user knows but is really a duplicate or fake account created solely as a device for obtaining information.

SMiShing

SMiShing is the term used for getting phished by text (or SMS). Increasingly, hackers leverage texts as a way to get information. Texts, unlike emails or social media messages, are more difficult for end users to verify, especially since many people link their mobile phone numbers to their most important accounts.

For example, someone who agrees to text notifications about their data plan may receive a text that their data is reaching a monthly limit. The text provides a link and suggests that the user check the account. Clicking that link in the text poses the same problem as clicking both email and social media message links.

How to prevent a social engineering attack

Understanding how to prevent a social engineering attack means looking for clues to verify who sent the message. With email and social media, it might be easier than with SMiShing attack, but the same principles still apply.

Verify the sender

Most companies have an email formula. For example:

[email protected]: [email protected]

[email protected]: [email protected]

[email protected]: [email protected]

Even corporate “no reply” emails usually use a similar corporate formula. To protect from a social engineering attack, people should always check to see whether a message is real. If the attack is done via social media, users should go to their friends list and start a new conversation there to verify. If the text looks suspicious, it’s easiest to either ignore it or to find an office or customer service number before taking actions

Review the sent-to address

Most people receive emails from vendors or retailers everyday that filter into their Spam boxes. While this acts as an initial filter, oftentimes rogue messages get through to an inbox. As part of protecting themselves from a social engineering attack, users should review the “addressee” or “To:” line.

Many people assume that the hyperlinked name in the “To” is their email address. However, when an email looks suspicious, users should hover over the blue highlighted addressee name and then delete the email if they don’t see their address.

Validate the email introduction

Most phishing emails use a “vague” introduction such as “Dear User” or “Hello Friend.” However the rise in marketing automation tools changes how businesses communicate with their customers. Marketing emails from companies will almost inevitably use a first or last name because they collected information as part of the ordering or gated website content process. An email without a name should trigger an automatic “delete.”

Never click a link

Embedded links in emails, or links provided via text and social media are the primary threat vector. As people become increasingly aware of social engineering attacks, cybercriminals have made their messages look more legitimate. Blue hyperlinks, or automatic clickable in-text links the URL.

Never clicking on embedded URLs would be the best “best practice.” However, it’s not necessarily reasonable. To verify the URL, users can:

  1. Hover their cursor over the link and see if the address shows up.
  2. Hover their cursor over it, right-click “copy this link,” paste it in a document.

A valid link starts with “www.company.com,” and should be safe as long as there are no spelling errors in the link. A link that starts with “www.c0mpany.com,” where the link substitutes a zero for the first “o” is not safe.

Additionally, if the copied link pastes as “tiny url” that looks like this: https://bitly.com/123ncug or https://tinyurl.com/123xyr then the link is still hiding the final destination and should never be followed.

SecurityScorecard enables organizations to mitigate social engineering attack risk

SecurityScorecard’s security ratings platform tracks risk across ten risk factor groups, including social engineering. Our social engineering risk factor scans for employees using corporate account information for social networks, service accounts, personal finance accounts, and marketing lists to ensure that none of the resources were exploited.

Consistently working with employees on how to protect themselves from social engineering attacks is the first line of defense. However, for true defense in depth security, organizations need a way to locate potentially compromised corporate credentials. SecurityScorecard’s easy-to-read A-F rating scale provides at a glance visibility into social engineering risk by giving organizations the ability to dig down into the individual risk factors for weak controls.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube