By Aamir Lakhani, Global Security strategist and researcher at Fortinet

Cyber adversaries maximise every opportunity they can get. They prey on vulnerabilities, security gaps, but also human nature. In fact, there is one risk that cannot be “patched” easily and that is the human factor. It remains a key concern in breaches and cyber-attacks. Basic cyber hygiene and the importance of cybersecurity awareness training remain critical to cyber defence especially for fraud based social engineering attacks.

Unfortunately, the odds are often in the favour of the attacker, because they only need one unsuspecting person to click on a malicious link or to provide credentials, to access the corporate network. And, as attackers evolve to include more reconnaissance, even business partners can also be indirect targets, in efforts to obtain information or context to improve their odds.

What are socially engineered fraud attacks?

Social engineering attacks leverage malicious tactics via social interactions like email or texting to manipulate users into giving up confidential information. Fraud attacks add an additional layer by attempting to maximise something like a position of authority or trust to trick someone into divulging information instead of simply relying on clicking a malicious link. Fraud attacks, rely on pressure or trust and are important to understand because with the right credential’s attackers can often get far into corporate networks.

Preventing social engineering fraud attacks

FortiGuard Labs’ recent threat report showed work-from-anywhere (WFA) endpoints remain targets for cyber adversaries to gain access to corporate networks. In addition, operational technology (OT) and information technology (IT) environments are both attractive targets as cyber adversaries search for opportunities in the growing attack surface and IT/OT convergence. In addition, to increase their odds, cyber adversaries are embracing more reconnaissance and defence evasion techniques to increase precision and destructive weaponisation across the cyber-attack chain.

All of this means there is no time like the present to make sure everyone is trained on cybersecurity basics and understands key cybersecurity awareness basics to help reduce the opportunity of leveraging an individual to gain access to corporate data and networks.

Employees need to understand the importance of protecting themselves and their organisations against social engineering attacks of all kinds, including socially engineered fraud attacks in order to be the first line of defence and take proactive steps to safeguard our personal information, devices, and networks. 

"The most important key to improving an organisation's risk profile is getting employees involved, one way or another, in accepting and fulfilling their security responsibilities."

Tips to prevent social engineering fraud attacks

Fraud-based attacks attempt to maximise trust and a sense of urgency to pressure or convince users to get valuable access information, so it is key to be armed with tips to avoid becoming a victim. To prevent social engineering attacks that use fraud tactics, organisations can leverage some of the same tools and strategies that prevent other types of social engineering attacks. Following are some recommendations to keep in mind.

1) Encourage users to use unique usernames and passwords

This is not a new concept but forcing employees to change passwords and maintain hygiene is important. In addition, requiring unique passwords instead of repeated passwords reduces the extend of access if credentials are obtained.

2) Help employees learn how to spot phishing attempts

Phishing simulation services use real-world simulations to help organisations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks. Practicing spotting attempts is good to build up important muscle memory for everyday reality. Phishing can often be part of the initial outreach strategy even for a fraud-based attack.

3) Invest in cybersecurity awareness training

Broad cybersecurity awareness training can help educate employees on how to identify threats and protect themselves and their organisations. Adding this type of training to internal training programs can add value information. Training can give scenarios and context to help educate everyone about evolving attack techniques.

4) Eliminate key vectors of attack

Organisations need to have email security gateways and content disarm and reconstruction (CDR) tools to eliminate malicious attachments and links. Web application firewalls are important to secure access to websites and identify and disable malicious links or embedded code. Endpoint detection and response (EDR) tools are vital to protect various endpoints.

5) Encourage Involvement

One of the most important keys to improving the risk profile of an organisation is getting employees involved and taking ownership in fulfilling their security responsibilities. With training, the right tools, and effective processes, security leaders can help everyone take cybersecurity in a responsible way.

6) Be prepared with effective response

Emergency incident response services can provide rapid and effective response when an incident is detected.

7) Practice and be ready

Incident readiness subscription services provide tools and guidance to help organisations better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

8) Maximise ZTNA and MFA

ZTNA extends the principles of ZTA to verify users and devices before every application session. ZTNA confirms that they meet the organization’s policy to access that application. Policies can be enforced for both remote workers and on-campus workers. Additionally, with MFA, increase certainty of user identity with the verification of another factor and adaptive authentication. If an MFA fatigue attack happens, effective ZTNA will limit access, especially if a time-of-day access policy is in place. Keep in mind, not all MFA solutions are the same; consider an MFA solution which has brute force protection, this can protect against the MFA fatigue attack.

Conclusion

The most important key to improving an organisation's risk profile is getting employees involved, one way or another, in accepting and fulfilling their security responsibilities. With training, the right tools, and effective processes, including support from top-tier company leaders, security teams can help everyone take cybersecurity seriously.

Corporate security and IT teams remain essential in preventing cyberattacks, but we're all ultimately responsible for understanding cybersecurity basics and taking basic steps to protect our devices and data. By working together, we have a better chance of keeping attackers out of our corporate and home networks.