Some cyber attacks start off-line, via phone calls and visits to your workplace. Here’s how you can fight social engineering.
Cyber criminals will use any means available to get your information or your money—both, if possible. They perform technical attacks against every device connected to the Internet, probing for vulnerabilities, bad configurations or poor security.
But the cyber criminals are also using another kind of attack, one that takes advantage of our natural tendency to trust. Cyber security professionals refer to these as social engineering attacks, but they are really the same confidence scams that are as old as human history.
What Social Engineering Looks Like
Most of us are familiar with the use of “phishing” emails. These are emails designed to get you to click on a link or launch an attachment.
“Spear phishing” is a form of attack targeting a specific person or position in an organization, leveraging social media and public information to gather details on their targets—which make the emails even more believable for the victims.
But did you know social engineering can involve phone calls and even in-person visits to your workplace? Other forms of social engineering include:
» Tailgating // This is where someone will wait outside a company’s secured door and, once employees use a security card or ID to get inside, the tailgater will follow them in. That way, the thief can physically access the business’s computers or paper files.
» Shoulder surfing // The thief will look over victims’ shoulders and watch as they enter their passwords or PINs.
» Pretexting // Criminals will pretend to be someone with a legitimate need for the victims’ information. They could pose as a vendor, potential client or even the pizza deliveryman. This can happen online, in person or over the phone.
» Business email compromise // This is a growing problem where fraudsters will either take control of a businessperson’s email account or create an account that closely resembles the real one: johndoe@xyzcompany.co instead of johndoe@xyzcompany.com. Then the bad guys will email a customer or employee (an executive’s accountant, for example) and request a wire transfer. In some cases, they can use email access to change the passwords to victims’ bank accounts and completely hijack them.
» Baiting or quid pro quo // Offering something victims cannot resist—like a free song download or help with an IT problem—in exchange for their personal information or access to their systems. One of the most popular methods of attack: free USB drives, which carry malware that allows the cyber criminal to access a victim’s system.
What You Can Do to Fight Hackers
Most of the major breaches reported in the press during the last three years can be traced back to a social engineering attack. If major retailers, entertainment companies and health care organizations and service companies with millions of dollars invested in technology can be compromised, what can you do? Lots, actually.
Social engineering takes advantage of human trust, and often smaller organizations have an easier time addressing training and trust issues. Here are a few ideas for reducing the risk from social engineering:
» Knowledge // Half the battle is knowing what kinds of sensitive data your company possesses, from employees’ Social Security numbers to customers’ credit card information. You should know where this information is stored, either online or in your file cabinet, who can access it and what kinds of protections are in place.
» Internal controls // Implement internal controls to protect your financial systems from fraudulent transactions, or at least detect them if they occur. For example, many businesses use some form of dual control in their payment systems. One employee might prepare a payment or wire transfer, but it requires the approval of another person inside the company—in some cases, the owner.
» Training // Take time to train your team about social engineering. Not just the daily phishing emails, but all forms of social engineering. Encourage them to be skeptical about callers asking for information, and train them to verify a contact’s identity. Don’t just accept that a caller is from your bank—call your bank directly and confirm the call is legitimate. Let your team know how and when to
report suspicious activity as soon as possible.
» Culture // Encourage a culture where it is OK to report potential attempts—even the “I may have clicked on something” reports, so you can reinforce training and identify issues early.
» Technology // Many technology solutions exist to help with everything from inspecting emails for attachments and links, blocking connections to malware sites, requiring strong authentication and logging security events. The key thing to remember is that technology is part of the overall solution. There is no silver bullet.
» Vigilance // Make the effort to evaluate your security, test user knowledge and assess the people, process and technology environment on a regular basis to determine where updates or new solutions may be needed. An ongoing process is critical to maintaining security.
The dangers of social engineering are real. You can reduce your organization’s risk by using the right combination of people, process and technology.
