February 2020 - Social Engineering: How to Avoid Falling Victim
Published on February 1, 2020
Social Engineering - How to Avoid Falling Victim
Cyber attacks have been a regular topic in the news, however, there is another type of attack that uses different tactics to bypass cybersecurity tools and solutions. It is called “social engineering” because they exploit the one weakness that is found in every organization: human psychology. They manipulate people into giving them passwords, bank information, money, or control over their computer.
Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if you have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel - if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.
Security is all about knowing who and what to trust. It is important to know when, and when not to take a person at their word and when the person you are communicating with is really who they say they are.
What Does a Social Engineering Attack Look Like?
Recently, Jim, received a call from the credit card fraud division warning him about a suspicious transaction on his company card. They offered to cancel the transaction, but in order to verify his identity they asked him to read back a code they texted him.
This was a scam! What actually happened was they hit ‘reset password’ on the official credit card website and selected the text message verification option. Because the text message was sent to the credit card account holder, they needed him to read it back to them. Once Jim read the code back to them they were able to reset the password, lock him out of his credit card account, and purchase several new iPhones.
This tactic is known as “vishing,” which is the voice version of phishing. The criminal uses the phone and a fabricated story to trick a victim into handing over valuable information. Even though Jim had 2-factor authentication they were able to fool him using social engineering.
In another attack, Sarah, an employee in the accounting division receives an email that looks like it’s coming from a company they regularly do business with. The email outlines a change in banking information and requests the invoices due be paid to the new account. The employee believes the email is from her regular contact and complies with the request. The thief gets away with a six-figure payday.
Cybercriminals know that it is in our nature to trust people we know and take them at face value. They greedily target businesses because they know the payday is potentially much more lucrative than individual victims. How can you protect yourself and your business?
Know Your Enemy
The first avenue of defense is to be aware of the tactics scammers use. Here’s what to watch out for and train your employees to be cautious of:
Email from a co-worker or friend. If a criminal manages to hack or socially engineer one person’s email password, they have access to that person’s contact list - potentially every employee and client relevant to your business. Additionally, if businesses do not enforce strong and unique passwords and multi-factor authentication, the hacker may be able to easily pivot from one account or computer to all within an organization because unfortunately most people use the same password everywhere.
Once the attacker has gained access to one computer or email within an organization, he will then send out messages to all the victim’s contacts that contain either a link or a download. The link or download (an innocent looking business document) will contain malware that will then infect every person who opens or clicks on the bait. The criminal knows the receiver’s guard is down because the email comes from a known and trusted associate and chances are high that he or she will click on the link and continue to spread the infection.
Email from another trusted source. Phishing attacks imitate a trusted source and fabricate a seemingly logical scenario for handing over login credentials or other sensitive personal data. Attackers may send an email posing as your bank or credit card company or even your Human Resources Department. It may ask for payment information pertaining to a company credit card, for an employee to send payment to a certain account or some other inquiry masquerading as day-to-day business.
There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users is the criminal’s imagination.
Protect Yourself and Your Business
The good news is that there are methods and guidelines for protecting yourself and your business. Here are a few tips that organizations can incorporate into their security awareness training programs that will help users to avoid social engineering schemes:
- Slow down. Scammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics - be skeptical. Never let their urgency influence your careful review.
- Research the facts. Be suspicious of any unsolicited messages. If you receive a strange request from a co-worker or company, verify it is really coming from the person or company by calling them directly or speaking to them in person.
- Don’t let a link be in control of where you land. Stay in control by finding the website yourself. Type the address into the address bar yourself or use a search engine to be sure you land where you intend to land. Hovering over links in an email will show the actual URL at the bottom, but a good fake can still steer you wrong.
- Beware of ANY download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake. Special attention is needed here for HR departments since they regularly expect to receive resumes from potential new hires. Hackers know this and target them by looking for job postings and fabricating a resume to fit the posting, making it likely for the HR department not to suspect the email and open it.
- Delete any request for financial information or passwords. If you get asked to reply to a message with personal or confidential information, it’s a scam. Legitimate companies don’t send emails asking for this kind of information.
- Set your spam filters to high. Every email program has spam filters. To find yours, look at your settings options, and set these to high–just remember to check your spam folder periodically to see if legitimate email has been accidentally trapped there.
- Secure your devices. Ensure all computers in your business have good anti-virus software, firewalls and email filters installed and these are kept up-to-date. Set your operating system to automatically update, manually update all other programs you have, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Your IT company can assist with making sure these tools are all in place and always automatically updated.
- Educate your employees. Share the above tips with your employees. Create a company policy to guide employees on appropriate sharing of confidential information. Some businesses test their employees’ cybersecurity savviness by running simulated phishing attacks - this is something your IT support can help you set up.