Cybersecurity Awareness Month is a great reminder for organizations of all sizes to prioritize cybersecurity—and one key element of a robust cybersecurity plan is conducting regular social engineering assessments. What do these assessments entail? Let’s dive into a recent chat with Jason Albuquerque. Jason sheds light on common techniques used in social engineering attacks, the human emotions and traits that make these attacks successful, and the importance of proactive social engineering assessments to protect organizations from these growing threats.

Q&A with Jason Albuquerque

Q: Jason, first off—what exactly is social engineering?

Jason: Social engineering is a sophisticated form of cyberattack that exploits human psychology rather than technical vulnerabilities. It involves manipulating individuals into divulging confidential information or granting unauthorized access to systems, making the human element the “weakest link” in the security chain. Unlike traditional cyberattacks that target software or systems, social engineers “hack” human behavior, often with devastating consequences for organizations of all sizes.

Q: What makes social engineering attacks so effective?

Jason: Social engineering attacks are effective because they exploit common human tendencies. Attackers prey on emotions and personality traits, using psychological manipulation to deceive individuals into actions that compromise security. Hackers will use authority, extroversion, agreeableness, urgency and stress to prey on victims.

As one example, hackers will often impersonate executives, IT staff, or government officials to gain trust and extract information.

Q: What are some common examples of social engineering?

Jason: Social engineering attacks come in MANY forms, all designed to exploit human vulnerabilities. Some of the most prevalent techniques include:

• Email phishing- The most common form, where attackers send fake emails from seemingly legitimate sources.
• Spear phishing- A targeted attack aimed at specific individuals or organizations.
• Quid Pro Quo- Offering a service in exchange for access or information, such as a fake technical support offer to fix a non-existent problem.
• Baiting- Luring victims with enticing offers, such as leaving a USB drive labeled “Executive Salaries” in a public place to encourage someone to insert it into their computer, infecting it with malware.
• Pretexting- Involves creating a fake story or pretext to gain the victim’s trust and obtain sensitive information, often by impersonating a legitimate service provider.

Q: How can organizations protect against these attacks?

Jason: A social engineering assessment is a critical tool for evaluating an organization’s vulnerability to human-based attacks. By conducting controlled social engineering exercises, organizations can identify weaknesses in employee training, security policies, and overall awareness.

Q: What have you found are the main benefits of social engineering assessments?

Jason: Social engineering assessments help expose weaknesses in cybersecurity protocols, evaluate employee training effectiveness, and provide insights to improve security controls and policies.

Q: Have you found that most organizations conduct regular social engineering assessments?

Jason: Unfortunately, social engineering assessments are often overlooked. While many organizations focus on protecting their systems and networks from technical vulnerabilities, the human element is often neglected. The reality is, however, that social engineering attacks, which exploit human behavior, can be as damaging as technical breaches. In fact, social engineering is often the first phase of a larger, more complex cyberattack.

As one example, according to Verizon’s 2023 Data Breach Investigations Report, 74% of data breaches involved the human element.

Educating employees on social engineering tactics and regularly testing their awareness through simulations can significantly reduce the risk of falling victim to these attacks. Organizations that prioritize the human element of cybersecurity will be better equipped to protect themselves in an increasingly perilous digital landscape.