With a national election looming, we’re bound to see an uptick in email messaging surrounding political campaigns. According to the 2023 Verizon Data Breach Investigations Report (DBIR), business email attacks represent more than 50% of social engineering incidents, and threat actors have become experts at exploiting the spread of information and societal division that comes with a national election. While your inbox might see more traction as we get closer to November, it’s important to be aware of social engineering tactics year-round so you know how to protect yourself and your organization.
To find out more about what social engineering is, how it works, and how organizations can prevent it—especially during election years—we sat down with Cybersecurity Consulting Manager Larry Kinkaid.
“Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information,” explained Kinkaid. “It’s been around before computers, but in today’s world, the tools and schemes are much more savvy than they used to be.”
According to the DBIR, attackers use a combination of strategies to accomplish social engineering, including:
Social engineers use a variety of tactics depending on their specific motive. From theft to sabotage, threat actors all work to manipulate human error for some sort of gain—and their efforts can be especially harmful during election years.
Phishing attacks are usually at the forefront of election season, especially when the motive is financial. Phishing occurs when a cybercriminal sends an email requesting personal or sensitive information. The goal of phishing is to collect your information or infect your device with malware.
While signs of phishing used to be relatively easy to spot, nowadays, messages can come from highly sophisticated attackers, especially during election periods when people tend to be more susceptible to receiving unsolicited information.
Infosecurity Magazine suggests that if the motive is to erode the integrity of an election process, we might also see other social engineering tactics, such as:
While social engineering can look like anything from a personal email requesting sensitive information to a threatening voicemail claiming to be from the IRS, business email currently represents over half of social engineering attacks. The good news is that there are many ways to avoid social engineering at your organization.
While it can often feel like a check-the-box exercise, it’s essential for organizations to embrace security awareness training as part of the company culture. “Implementing role-based security training helps tailor your program to each employee’s specific role and responsibilities and can make security awareness training more engaging and effective,” said Kinkaid. “It’s important to identify any sensitive information within your organization and the roles that interact with that sensitive information to help you determine who will need tailored or specific security training.”
Enabling MFA is the best way to prevent a hacker from using compromised credentials to access an account. “We’re almost to a point where SMS verification is obsolete,” Kinkaid said. Instead, he recommends that organizations opt for true authenticators or configuring pushes to limit MFA fatigue, which occurs when the hacker continuously sends MFA notifications until the user approves the login attempt.
“Employees with access to financial information are likely to be the target of phishing attacks or other social engineering scams and should be trained to recognize various threats,” Kinkaid explained.
Kinkaid recommends taking turns with easy and hard phishing templates to gauge where you are as an organization. “This type of training tends to resonate with users,” he said.
“People are the center of security, which is why building an effective security program from within your organization is so important,” said Kinkaid. When everyone in the organization understands what data is being protected, how certain behaviors can lead to compromised security, and who to go to if they have any issues or questions, a security culture can thrive.
“Lastly, layer the onion! While the human element is significant, we should always look for more ways to layer our defenses, both preventative and detective,” Kinkaid elaborated.
“We have to expect that social engineering will continue to get more and more clever, preying upon the human element,” said Kinkaid. “That’s why security awareness training, phishing exercises, and your overall security culture are paramount this year and every year.”
Interested in learning more about how to prevent social engineering attacks at your organization? Contact us today.