You’re probably aware of some standard IT security threats, like viruses, ransomware, various different kinds of malware and more. These make headlines and, more importantly, fit our conception of standard cyber-criminal attacks – programs designed to steal our data and information.
However, there are arguably more pressing threats to your business that you may not be familiar with. From time to time, your security profile can fall under attack, and you won’t know until it’s too late.
Meet one of the most pressing IT security threats facing the world right now: social engineering.
The Threat
Social engineering is a method of getting people to willingly give out valuable information about either themselves or a company that employs them. Classified as a “confidence trick,” social engineering is a form of psychological manipulation where the perpetrator can use a variety of techniques to surreptitiously obtain bits of confidential information from the victim.
There are a variety of techniques that fall under the social engineering attack method usually referred to as “phishing.” Below are descriptions for a few of the more popular methods, and tips for how to protect yourself from them.
Criminals who employ the social engineering method often try to obtain private information through email. In this form of attack, a target receives an email designed to look like something coming from an official source. For example, you might receive a notification that looks like it is from your bank, urging you to take care of some pressing business. The language will be severe and will try to make you afraid of the consequences of not responding. The goal is to make victims feel as if they have no choice other than to respond. Either you do nothing and suffer the advertised consequence (loss of money or a dire financial penalty) or you comply – unknowingly buying into the scheme. The goal is to give you no time to think it through.
After clicking the link, you’ll be prompted to enter some information, whether it be social security number, credit card info or password. If you’re not paying close enough attention, you can fail to notice that none of this is standard operating procedure, and as soon as you enter the requested information, the attackers have successfully carried out their mission.
It’s easy to imagine employees at a business giving out confidential information too. Maybe an email appearing as though it is from a popular payroll service like ADP goes out to your HR Director, requesting sensitive employee information. You can understand how disastrous it would be if this data fell into the wrong hands. Emails can even appear to come from a CEO or other executive of the business, asking for sensitive information, confidential files, or to open a file attachment that is infected with malware.
Hackers can also compromise a workstation via social engineering, using that workstation as a pivot point to attack other internal systems.
Phone
More bad news – phishing isn’t just confined to email. Another technique criminals use is to persuade victims to give out personal information or transfer money over the phone. As you might imagine, when compared to email attacks, these can be much more difficult to determine if they are real or not.
The criminals who perpetrate these crimes already have some of your key information. Obviously they have your phone number and name, but they may also have your address and some bank details. They will likely also have access to caller ID spoofing, meaning it will more than likely appear to you that these are real calls from official sources.
Oftentimes callers will state that this is an urgent call that demands immediate action from you. They’ll prey upon fear just like email attackers do, trying to get you to give out private information like credit card numbers, passwords and so on. Some attackers can even hold the line, so that if the victim does begin to second guess what they are being threatened with and tries to call the real company that the attacker is pretending to be, they will instead just be directed back to the attacker. These criminals even go as far as placing background sound of being in an office or call center, just to make their attempts seem slightly more legitimate.
Employees can often be at risk. Calls can come from outside sources demanding information and saying they’ve already cleared this with their boss or a member of the executive suite. These put employees in incredibly difficult situations, placing more responsibility on them than they’re likely used to, and creating a fear that they can suffer repercussions from their superiors if they do not comply with this seemingly authentic request.
Solutions
Social engineering is a particularly difficult form of attack to stop. Because it relies so heavily upon psychology, the best method to prevent the attack is through proper testing of an organization’s security. Findings from a thorough social engineering test will set the platform for supervisor conversations with staff for increased vigilance against phishing attacks.
Your employees need to understand what is acceptable to respond to and what isn’t. Furthermore, they should also be shown examples of email phishing so they know what to look for if something seems in any way suspicious.
Take this image from the University of Memphis, for example:
Employees must learn where to look to check for fraudulent links in emails. For phone calls, a structure must be put in place so that employees don’t feel like they have to be the one making decisions. If a supposedly urgent call comes across their desk, there should be a built-in hierarchy for your employee to pass this message up to. And most importantly, it needs to be reinforced that they are doing the right thing by passing this information on – regardless of the consequence. There should be no fear of repercussions.
On the technology side, safeguards like email and phone filtering can be put in place to weed out potential phishing emails. Firewalls can also be set up that block employees from viewing hazardous links included in emails.
Ultimately, testing cannot be ignored. There are only so many technical precautions you can take to prevent social engineering attacks. Your employees will have to be able to recognize what is a real, pressing concern and what is fiction. With a little bit of training, these attacks can be controlled and your business kept safe.
