Social engineering is the strongest method of attack against the enterprise\u2019s weakest vulnerability, its people. Criminal hackers recognize this fact. In 2015, social engineering became the No. 1 method of attack, according to Proofpoint\u2019s 2016 Human Factor Report.\n\nThese successful social engineering methods often use phishing and malware. But deceptive information assailants have more tools and approaches to draw on than these.\n\nThat\u2019s why CSO covers six of the most effective social engineering techniques that attackers use both on and off the internet, providing insights into how each one works, what it accomplishes, and the technologies, methods, and policies for detecting and responding to social saboteurs and keeping them at bay.\n\nTechnique one: Enabling macros. Cybercrooks are using social engineering to trick organizational users into enabling macros so that macro malware will work. In attacks on Ukrainian critical infrastructure, bogus dialogue boxes appearing in Microsoft Office documents told users to enable macros to properly display content created in a more recent version of the Microsoft product.\n\nThe crooks wrote the dialogue text in Russian and made the dialogue image appear to come from Microsoft. When users complied and turned macros on, the document\u2019s malware infected user machines. \u201cThis phishing tactic used an interesting social engineering twist to account for the fact that most users have macros turned off,\u201d says Phil Neray, vice president of Industrial Cybersecurity at CyberX.\n\nTechnique two: Sextortion. In attacks called catphishing, cyber criminals pose as potential lovers to lure victims to share compromising videos and photos and then blackmail them. \u201cThese traps have evolved to target the enterprise,\u201d says James Maude, senior security engineer at Avecto.\n\nBy targeting senior people across the enterprise using social media, the sextortionists ultimately blackmail them into revealing sensitive credentials, says Maude. These attacks occur in person in bars and hotels at security conferences, as well, says Maude.\n\nTechnique three: Expanded affinity social engineering. Affinity social engineering counts on attackers forming a bond with a target based on a common interest or some way that they identify with each other. Crooks now establish these connections online based on shared political views, social media groups, hobbies, sports, movie or video game interests, activism, and crowdsourcing situations, explains Roger G. Johnston, Ph.D., Head of Right Brain Sekurity.\n\n\u201cThe bad guy\u2019s method is to become friends, get the victim to do them a favor, slowly ask for information (initially innocuous), then ask for more sensitive information. Once the victim is in a little ways, the attacker can then blackmail them,\u201d says Johnston.\n\nTechnique four: Phony recruiters. With so many headhunters seeking out job candidates, it is not suspicious when a faker comes along to pump up an employee\u2019s ego and offer enticing yet fabricated positions to get information.\n\n\u201cThis may not directly yield computer passwords, but an attacker can get enough data to figure out whom to password phish inside your company. The attacker can also threaten to tell the employee\u2019s boss that they are planning to leave the company and have already shared confidential information to gain leverage over the victim,\u201d explains Johnston.\n\nTechnique five: Old interns. While interns once were only young people, many are now older. An attacker posing as an older intern has the knowledge and experience necessary to commit industrial espionage, knowing what questions to ask and where and how to find confidential information, explains Johnston.\n\nTechnique six: Social engineering bots. \u201cMalicious bots are often responsible for highly sophisticated, damaging social engineering attacks,\u201d says Inbar Raz, principal researcher at PerimeterX. Bots infect web browsers with malicious extensions that hijack web surfing sessions and use social network credentials saved in the browser to send infected messages to friends, explains Raz.\n\nAttackers use these bot approaches to trick the victim\u2019s friends into following links in the message or downloading and installing malware, which enables the cyber hoodlums to build large botnets that include their computers, Raz explains.\n\nTechnologies, methods, and policies to prevent, detect, and respond to social engineering\n\nIn the Ukrainian attack example, hardened machines that did not permit users to enable macros would have stopped the attack cold. Enterprises can also use deep packet inspection, behavioral analytics, and threat intelligence to monitor the network layer for anomalous behavior such as was exhibited by the Ukrainian attack on Microsoft Office, says Neray. \u201cThe enterprise can use next-gen endpoint security to perform a similar function on endpoint devices,\u201d says Neray. These technologies will help mitigate many social engineering attacks.\n\nPolicies for those above and many other attack methods should enforce applying network segmentation, multifactor authentication, and post-attack forensics on the network and endpoints to prevent lateral movement, limit damage from stolen credentials, and understand the scope of the breach to make sure to remove all associated malware, according to Neray.\n\nThe enterprise should address sextortion using a combination of least-privilege zero trust, behavioral detection, and monitoring to expose attacks and limit the abuse of credentials, which results from this social engineering technique.\n\nSextortion requires sensitive handling if such an attack has compromised an employee. \u201cLegal, HR, and law enforcement may need to play a part in any actions, and everyone needs to be ready for the worst. In the cases I know, employee awareness and early intervention have limited the damage,\u201d says Maude.\n\nEnabling employees with panic words they can use when they are in trouble can alert employers to attacks in progress that are using blackmail or coercion, says Johnston. To detect the corporate espionage agent working in the guise of an older intern, consider employees who never take vacations or sick leave, perhaps for fear that their activities will be detected while they are away, says Johnston.\n\nTools such as anomalous behavior monitoring products and some anti-virus and anti-malware software can detect bot behavior and changes to the browser. The enterprise can detect some weaker bots using threat intelligence and IP address reputation information, according to Johnston.\n\nEmployee training\n\nThe enterprise should continually update employee training with all the details of how criminals are using social engineering. \u201cYou should conduct social engineering awareness training separately and specifically, sketching out how these attacks work, making them sound very plausible,\u201d says Johnston. Put on plays (live or video) with all the characters, both victims and perpetrators to demonstrate the points vividly and personally, says Johnston.\n\nDemonstrate how social engineering targets everyone, show how anyone can be vulnerable, and give people the tools to protect themselves and assurances that they are accepted even when they fall victim.\n\nWith an optimal combination of training, policies, and security technologies, enterprises can resist social engineering ploys old and new. The enterprise and its people must put forth a team security effort to do it.