Your Ultimate Guide to Identifying Social Engineering Attacks

Security is front of mind for so many of us these days, even if it wasn’t where we saw our careers going. It’s no longer just security professionals who are spending a majority of their time protecting data or figuring out how they would recover if they were breached: this focus has bled into all areas of our lives. It’s a sign of the times!

It is the responsibility of everyone who touches business data in any way to do their part in protecting it, and that means you. Whether you’re an architect, developer, admin, analyst, or even a business user – you need to do your part.

Let’s spend some time talking about one area of security that applies to all of us, which is recognizing and protecting against social engineering attacks. 

What Is Social Engineering?

When we think about security breaches, we think about big, advanced technical attacks, but a majority of the larger breaches recently came from a totally different attack – a social engineering attack. 

Think of it as hacking a human being rather than a system, and the attacker can gain access to valuable business data, whether they successfully infiltrate a vulnerability in a system or a human being.

Ultimately, social engineering is where an attacker exploits someone’s basic human nature to gain access to a system, money, data, or other assets. They will target things like a human’s inherent desire to trust another human being, be helpful to someone in need, or worse, leverage fear and urgency in another person to get them to do something that they otherwise would not.

That last one is particularly important because we can often be fooled into thinking something has gone wrong and accidentally cause further issues by doing something wrong under pressure. It’s essential to remain calm and recall your training. 

This Is Your Responsibility!

Whether you’re a security expert or just trying to do your day job as an end user, keeping your customers’ data safe is your responsibility. The easiest way to think of it is like this: Imagine you have a house with lots of doors, and inside is a treasure chest. Anyone who needs to enter the house has to enter through their own door – this is your user access. Given how valuable the treasure that you’re working with is, you want to ensure that your door is as strong as possible to keep attackers out.

Your username identifies which door is yours. Your password should be seen as locking it behind you. That said, there are other tools that you should be leveraging to ensure attackers cannot gain access to your treasured data. 

Use a strong password (one with a combination of uppercase, lowercase, numbers, and symbols, and make it longer than 12 characters) to make sure your door is thick enough to withstand a few knocks from the attacker. Install a deadbolt by setting up 2FA or MFA (Two or Multi Factor Authentication). 

Make the door all but invisible to attackers by porting it to another dimension… okay that one’s a stretch, but it can essentially be done by setting up IP range whitelists (ie, only allowing connections from certain IP addresses) and using a company VPN. 

In the past, many people would use the same password (something super secure too, like ‘mypassword’) across multiple systems. They may even write it down on a sticky note and stick it to their computer screen, for convenience. For a visual representation of the ‘strong door’ that they’re hoping the attackers will be deterred from using to protect their valuable treasure, think of a door lock with a cheese puff keeping it shut. That’s not really going to do much, now, is it?

The rest (MFA, strong passwords, good security hygiene, etc) are great ways to help protect your treasure at all costs. That said, they’re not foolproof. Remember – you yourself are unlocking and walking through that door every single time you access your company data, so the door is ultimately still designed for entry, even if by just yourself. 

Social engineering attackers know this, and their goal is to tailgate you through the door or get you to let them through the door willingly. Sounds crazy, but it’s incredibly common!

This wild analogy explains the different steps that you should be taking to ensure you do your part in securing your data, but also shows that it’s all for naught if you fall prey to a social engineering attack. 

Most Common Social Engineering Methods

Social Engineering is a very broad term, but there are some common attack styles that you need to familiarize yourself with: Phishing and behavior manipulation. There are multiple categories that those styles can be broken down into as well, which we’ll go through together. 

Don’t feel like you need to memorize all of them individually. The reality is that as you read through this article, you’ll start to see similarities between them. Pattern recognition is going to be your most valuable asset when it comes to defending against a social engineering attack. 

Phishing

Phishing uses different modes of communication that appear to come from trusted sources (a manager, a business contact, or just pretending to be a communication from a business) and are hoping that you believe the lies they spew. Ultimately, they’re hoping that their communications seem believable enough that you don’t really question what you’re doing and give them what they want, often revealing sensitive information to the attacker. 

There are multiple different types of phishing, can you believe it?! These social engineering attackers are crafty, but you’re about to learn their game and beat them at it. Score one for you, zero for the attackers!

General Phishing

Phishing, in its purest and simplest form, is where an attacker gathers together a large list of email addresses and begins sending out fraudulent emails to them, hoping that at least one of the recipients will fall victim. 

They typically pretend to be a well-known organization or business that has a large spread of customers and will try to convince the reader to click a malicious link or download a file that contains a piece of malware. 

This allows them a large failure rate, as it is a broad attack that lands in many inboxes, and they only really need a single victim for the attack to be successful.

Spear Phishing

Unlike general phishing, spear phishing is a lot more targeted and, for lack of a better term, personalized. This is where a group of people is directly targeted and sent fraudulent emails that try to coax them into clicking a link or downloading a file. 

These emails are a lot more convincing as they can contain personal information that has been carefully harvested from sources like social media to make the communications seem more legitimate.

Smishing

Smishing, also known as SMS phishing, is where the attacker uses text messaging tools to send out fraudulent communications directly to recipients’ phones. 

Without the ability to format communications like an email, these SMS attacks are usually designed to leverage fear to get people to click a link without thinking too much about it. Things like “Your Salesforce password has been successfully changed. If this wasn’t you, change it here: (insert bad link here)”.

Vishing

Oh boy, we’re going to start seeing a LOT more of this kind of phishing with the rise of generative AI voice technology. 

Vishing, also known as voice phishing, is where an attacker impersonates an individual or company directly over the phone. Think of these as those scam callers that ask for your personal information or try to get you to log in to a system while on a screenshare call.

With AI voice replication technology becoming a lot more accessible, I suspect we’ll start seeing even more personalized versions of this – calls that sound like they’re actually from a frantic manager, inciting an adrenal response to click malicious links or share sensitive information.

Whaling

Whaling is a very targeted, very personalized, and very dangerous form of phishing – where attackers target the executives or business users with large access to data within a company, and illicit information or action from staff within the company. These executives usually have a much larger scope of abilities and access to a lot more information. 

Think about a CFO. They have the ability to direct the finance department to make a payment from the company bank account. Someone who successfully impersonates the CEO of a large company and directs their finance team to willingly make a payment from the business bank account to another would cause a lot of headaches for the victims who fell for it.

Deception/Manipulation

I’m just going to put it bluntly – these tactics are manipulative and awful. Attackers will leverage the goodness in the human nature of their victims to cause harm and gain for themselves, leaving the victims to become fearful, lose trust, and even hesitate doing good for other human beings in the future, from fear of being attacked again.

Pretexting

A pretexting attack is when the attacker designs a false pretense to trick a potential victim into sharing information or performing an action they otherwise wouldn’t. This is another personalized attack where the attacker does their research in advance to establish a sense of legitimacy and increase the likelihood of their attack being successful.

Examples of this kind of attack would be if an attacker reaches out pretending to be an industry auditor or a colleague with an urgent request. Typically, they come with a sense of urgency or authority to manipulate your thinking and make you take actions you otherwise would not.

Baiting

Leveraging another aspect of human nature is a baiting attack, except this time, instead of leveraging a positive aspect, such as kindness or empathy, baiting typically leverages greed. The attacker will offer a desirable thing to the victim, also known as the bait, in exchange for business data or access to systems. 

While you may be wondering what kind of person would turn on their own employer like this, it’s not always as bad as it sounds. Sometimes it may simply be that someone is offered a free download, and are infected with malware. They could be offered a gift card in an email and be tricked into handing over personal information when ‘activating the card’. 

Quid Pro Quo

Some of us are lucky enough to have an IT department that is proactive on issues that we may face but have not yet faced, and some of us are unlucky enough to have an attacker pretending to be just that. The key difference is that your IT department will NEVER ask for your credentials over the phone or email, whereas this is a key function of a quid pro quo attack by an attacker.

The attacker will phone up, impersonating the IT department, and offer to fix an issue within your system. To assist, they will need your credentials, which you should NEVER provide. Instead, you should reach out directly to your IT department through a trusted channel and let them know what has happened. 

There’s a chance that it is a legitimate call (in which case you should tell your IT department off for requesting credentials over the phone!), but there’s a much higher chance that the attacker is going to attempt the same method on a colleague next. Your IT department can assist in spreading the word throughout the organization to help ensure no one falls for the attack.

Scareware

There’s nothing worse than that awful, sinking feeling that you get when you realize that you’ve fallen victim to a hack or a breach. I personally have experienced it, and honestly, it is awful. 

You begin to question your practices while also trying to fix the problem as quickly as possible – with split attention and a frantic lack of focus. You know that feeling, I know that feeling, and attackers also know that feeling and look to exploit it.

You may have recently seen a text message letting you know that your account has been breached, or a limit has been changed on a credit card, and a convenient link prompting you to log in and confirm or cancel the change. You may even receive a phone number you can call, where a helpful service representative will support you as you give your information to a hacker. 

Your best course of action if you receive one of these messages is to contact the organization directly through a publicly available support number on a trusted website or within their application. Never call a number or click a sign-in link from a text message.

An Advanced Attack Example

A few months back, I saw details of an attack that stood out to me as one of the most intricate, detailed, and believable social engineering attacks I’ve ever seen. It was reported on social media site 𝕏 (formerly known as Twitter) by a user who details in a thread the experience of being the potential victim of this advanced social engineering attack.

The first thing that he noticed was a strange but seemingly legitimate email that alerted him to a subpoena that had been served to Google that required them to produce a copy of his Google Account information and content. This email is formatted carefully and uses Google branding, requests that he access a link that includes a Google.com domain, and the worst part is that it even comes from no-reply@accounts.google.com, which is a legitimate email that Google uses. 

Nick, who is well-versed in cybersecurity, double-checks the domain that it comes from and confirms that it even passes a DKIM signature check. This means that the email was sent using Google’s DKIM keys. These keys are specifically there to help protect against email spoofing. The plot thickens.

He then accesses the link (again, a Google.com link) and is taken to what looks like a support portal. When he clicks on the Upload additional documents button, he is prompted to log in to his Google account, once again from a Google.com domain. 

From here, however, we don’t know for sure what the attacker does, because Nick was not about to surrender his Google credentials. Yes, that’s right, this was a phishing attempt, and an attacker has constructed everything you’ve seen so far.

How can we possibly know this? The biggest sign is that Google Sites is a product that Google offers and allows you to create a free website and host it at no cost behind a Google domain. This is similar to how you’ll see people creating WordPress sites that are hosted on a WordPress.com subdomain.

This is how the attacker was able to create a legitimate-looking website with a Google domain. The attacker also exploits an issue with the way Google sends notifications of new OAuth application alerts (MASSIVELY oversimplifying it, worth reading in detail). 

The reason I wanted to specifically talk about this example is that it is one of the ones that I know many people who are otherwise relatively knowledgeable about cybersecurity (at least enough to protect their accounts and avoid falling for more obvious phishing attacks) could have fallen for as well. 

How to Identify Common Attacks

While nothing is absolutely foolproof – especially in an age where we can see there are more advanced attacks than ever before – it is important to have some good practices in place to reduce your exposure.

First off, make sure you know your trusted channels of communication. At work, if you tend to communicate with your manager and colleagues in Slack, then you should reach out to them directly in Slack if you receive another communication that you’re not sure actually originated from them (like an email, or more alarmingly, a Slack message from a different Slack account). 

Not only that, just because you’re using a trusted channel doesn’t mean you’re communicating with a trusted sender. This particularly applies to email and text messaging channels. Make sure you check the email that your email is being sent from carefully, remembering that the example I gave above looked very believable. 

Next, make sure you’re paying close attention to the details. There are two places that you should EVER enter your username and password: on the app or website that you trust and know belongs to the service, and a trusted password manager. That’s it. 

With this in mind, you should take extra steps to be careful and make sure that you’re not filling in details on a fraudulent website or application instead of the legitimate one. Also, make sure the domain is using HTTPS, not HTTP (you can tell by looking in the URL bar in the browser, typically).

Check for obvious spelling and grammar mistakes. This can be a copout for a scam, as attackers will typically have far less quality assurance in their email communications than a real business. I say typically because of the recent LLM AI boom – attackers know about ChatGPT too! They’ve started creating content using these tools, so spelling and grammar isn’t the same differentiator that it used to be.

Keeping in mind that attackers tend to leverage human nature and emotion, you need to trust your gut sometimes. If you receive an email offer that seems too good to be true, it likely is. If you receive an email that looks like it’s from someone that you know and they’re behaving in a way that they normally wouldn’t, hesitate; reach out to them in another trusted channel. When you’re dealing with IT or customer support with a company or service, and they begin putting pressure on you to do things you’re not comfortable doing or could expose your business data, pump the brakes. 

TLDR: Know your enemy. Get extremely familiar with the tools you’re using. Establish trusted channels of communication with people and businesses you work with. Trust your gut above all. Pay attention to the details.

Preparing for and Responding to Attacks

Make sure you’re not the only one in your business that knows this stuff! Champion it, share information with your colleagues, and train your teams if you’re in a position of leadership that can organize this. 

As a Salesforce Admin, you should be following the principle of least privilege when giving users access to the system. This ensures that if there is a breach of some sort in your system, the exposure is as limited as possible. Give your users only access to the data they need to do their job, and nothing more. 

Leverage as many Salesforce security features as possible to protect your users and your customer data. Leverage password policies, IP login ranges, Multi-Factor Authentication (MFA), and configure your session settings to help limit exposure.

Keep your computer up to date to protect against modern threats that OS developers (Apple, Microsoft, etc) have identified. Maintain your antivirus and anti-malware software to ensure your protection is up to date. Be cautious about email attachments and downloads, and teach your users to be cautious as well. 

Final Thoughts

Social engineering attacks are no joke! As you can see, they’re extremely common and getting more sophisticated with every advancement in technology. The AI era is empowering attackers with incredibly potent tools. It is the responsibility of everyone to ensure they’re educated against social engineering attacks and champion this knowledge within their business. 

What are you going to do in your business to help ensure your colleagues are educated about social engineering? Additionally, I’m curious, what are some of the most convincing phishing attacks you have seen or heard about? Let us know in the comments.