SOCIAL ENGINEERING | 5 MIN READ
Social engineering is another way your business can become a victim of a data breach. But social engineering is a little different than viruses, codes, and password-cracking software. Instead, social engineering preys on human emotion to bypass security and gain valuable information.
A simple email is sometimes all it takes, which is why the inbox is one of the most common attack avenues for social engineering. The cyber-criminal will pretend to be someone they aren’t and request sensitive data from you (like credit card information or login credentials). Or, they might ask you to follow up with an action (like click on a corrupt link or download a malicious file).
While a large majority of these emails reek of bogus content, some of them aren’t so cut and dry and it can actually be very difficult to determine the legitimacy of the sender and their content.
Some attackers take the time to learn your internal processes and the names and titles of people in your company. They then turn around and use this information to better deceive your coworkers and get what they want.
Because of this, it’s important to remember that even if the email contains legitimate information, it doesn’t mean the email itself is legitimate. And even if the email appears to come from someone inside your company, it doesn’t mean that it does.
READ: Phishing Tips - A Simple Guide to Avoid Malicious Emails
Believe it or not, people still use the phone, and it’s definitely not out of bounds for hackers and criminals. If an attacker with just the right amount of people skills picks up the phone, your business could potentially be placed on a one-way path headed straight towards a data breach.
This person could pretend to be a representative from a company you partner with or they could claim to be calling on behalf of a current client. They might ask you to reveal sensitive information or request you to make changes to their account. If they get the right person on the phone (like an unsuspecting receptionist or busy account manager), who knows what damage could be done.
To combat social engineering attacks over the phone, your company must establish procedures and policies that help your staff determine what can and cannot be said or done over the phone. For example, should clients be required to repeat a designated passphrase to request changes to their account? Small adjustments like these can save your business from a world of hurt.
Sure, social engineering attacks carried out in person might sound like a thing that only happens in the movies, but that’s where you’d be wrong.
Face-to-face social engineering is not a difficult thing to pull off, and really, it isn’t anything like a James Bond flick. While there are a variety of ways to play out a social engineering attack in person, the majority of them are incredibly simple and involve minimal acting skills.
A successful social engineering attack could be something as simple as you holding open a locked door for a stranger. You assume they’re allowed inside, so you let them in. Once inside the building, the stranger can do any number of things – like read private documents, search for financial data, or hunt for random passwords written down on sticky notes.
In this case, policies and procedures aren’t the only things recommended. Consequences are recommended, too. In-person social engineering plays off social cues, which means people feel more obligated to drop standard security protocols.
I was only being polite. Or, I didn’t want to offend anyone. Or even better, I was just trying to avoid an uncomfortable situation. With real consequences established (like a write-up), employees won’t feel so bad shutting the door behind them. It sounds harsh, but it's much better than having to close your company's doors forever just because an employee was inadvertently helping a hacker.
Want to Learn More About Modern Business Threats?
Network Security Threats of 2018
How Does Ransomware Work?
What is Social Engineering?
Social Engineering Techniques and Ways to Protect Your Network
5 Common Social Engineering Tactics