As a business owner or manager, you have very likely become aware of the increasing necessity of protecting your business from cyber security threats.  But there is another threat that can seriously harm your business - and it’s possible you’re doing nothing to stop it!

This threat is social engineering and it is a weakness that is found in every single organization.  The reason for this is because it takes advantage of a weakness all businesses have - humans.  In fact, many cybersecurity professionals agree that humans are a business’ number one vulnerability.  To secure a house, you can have an alarm system, locks, gates and security dogs, but if someone in the house decides to trust the wrong person and opens the door for them, all that security is useless!

Social engineering is the art of exploiting human psychology, rather than technical hacking, with the intent of gaining information or access to money, a building, data or computer systems.  Social engineering strategies manipulate how people think and act.  It is human nature to naturally trust that a person is who they say they are - and criminals know this!

It is so popular because taking advantage of human emotion is much easier than hacking a network or looking for security vulnerabilities.  A carefully worded email, phone call or text message can trick people to transfer money, provide confidential information, or download a file that installs malware on the company network.

Let’s consider four methods of social engineering (there are many types and sub-types) and how you can equip your team with the skills they need so that they don’t fall victim to scams.

1. Phishing.  This is the most common type of social engineering attack. It’s purpose is to gain confidential business or personal information such as client’s names, credit card information, banking information, addresses, etc.  They often imitate a trusted source, such as a bank or a branch of the government and present a seemingly logical scenario for providing login credentials or other sensitive personal data.  What sets a phishing attack apart from other social engineering threats is the use of fear or a sense of urgency to manipulate the user into responding quickly.

A very common phishing scam is the automated call from “Revenue Canada” authoritatively informing you that you will be arrested if you do not take action immediately.  Who of us hasn’t received a poorly written email, full of spelling and grammatical mistakes?  These emails will usually contain links to websites where your information can be stolen. Some phishing emails are obvious and easy to spot, however, phishing emails are becoming much more advanced and in some cases can be virtually impossible to detect.

2.  Spear Phishing.  This is a more targeted form of phishing, that focuses on victimizing a specific person that is perceived to have access to funds or data that would be attractive to a criminal, such as C-suite executives or their assistants.  It is often called BEC or Business Email Compromise.

Consider this example of spear phishing that convinced an employee to transfer $500,000 to a foreign investor:
After researching, a cybercriminal knows the CEO of a company is traveling.  An email that looks like it is from the CEO is sent to an employee asking to help the CEO out by transferring $500,000 to a new foreign investor. The CEO explains that they are unable to make the deposit themselves because they are travelling and it is urgent and important.  The story makes sense to the employee and so he carries out the request believing he is doing his job.

3. Pretexting.  Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario.  Instead of using fear and urgency, pretexting attacks rely on building a false sense of trust with the victim by creating a credible story that leaves little room for doubt on the part of their target.

In one of the most targeted industries- construction, because of large money transfers and purchases that routinely take place,  this scenario plays out often:  Admin staff receives an email from a supplier that they have changed bank accounts and to send payment to a new account.  Staff take the email at face value and comply, depositing a large sum of money to a criminal rather than a trusted supplier.

Criminals often target Human Resources departments knowing that they won’t question receiving emails with resumes attached to download.  Rather than being an innocent attachment, they actually download malware.

A social engineer might call and pretend to be a fellow employee or a trusted outside authority such as IT support or the accountant.

Taking advantage of the desire to be polite and helpful, physical access to a building may be gained by simply asking an employee entering or exiting the building "Can you hold the door for me? I don't have my key/access card on me."  Upon gaining access to the building, the person may then be able to get to company computers or other company resources.

4. Baiting.  To entice victims, this type of social engineering relies on the promise of getting something for free or very little, just like a fisherman dangles bait to catch a fish.  For example an email may claim that you won the lottery, or that you’re the millionth person to click on their site and will receive a prize.  Some claim to be representing the estate of a distant deceased relative who has left you money.  Criminals are hoping to trick you into providing personal and banking information to send the prize money.

In another tactic focusing on exploiting human curiosity, some criminals have been known to leave USB keys lying around in a parking lot, perhaps labelled in an appealing way as “confidential,” knowing that the victim’s curiosity of what could be on the USB key may lead them to inserting it into their computer to see what’s on it.  This leads to the computer being infected with malware.

How to Avoid Falling Victim

1. The best defense against social engineering attacks is user education.  Employees should be aware that social engineering exists and be familiar with commonly used tactics.  Even forwarding the information in this newsletter to your employees is a great start.

Many organizations provide ongoing security awareness training.  There is some great software to help, these programs educate and also test the employees discernment by randomly sending test emails.  Check with your IT support to hear their recommendations. Training should be ongoing so that it is always top of mind.  All staff should be included, remember that senior leadership and executives are primary enterprise targets and don’t forget anyone who has authority to make wire transfers or other financial transactions.

The goal of these programs is to create a mindful culture around social engineering.  Some of the points your team needs to be aware of are:

  • Slow down. Scammers want you to act before you think.  If the message conveys a sense of urgency or fear, be skeptical.
  • Email addresses can be spoofed.  Even if an email appears to be coming from a trusted source, if it contains a suspicious request, talk to the sender in person or by phone. (Do not use the phone number listed in the email because if it is a phishing email, this may have been changed.)
  • Do not open any emails from untrusted sources.
  • Lock your computer (windows key + L) whenever you are away from your workstation.
  • Ensure employees don’t allow a stranger into the building without adequate confirmation of their identity.
  • Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything could be a big mistake.
  • A link in an email may look legitimate, but if you hover over the link to see the URL, you can carefully examine where it will be taking you - be careful, there are good fakes out there!

2.  There are several layers of technical defenses that protect against social engineering:

  • Attackers want your credentials! If they are successful in stealing an employee’s credentials, having multi-factor authentication in place will prevent them from getting into your network.
  • Employ professional anti-virus/anti-malware software.  It’s very important that this software is kept up to date to fix any newly discovered vulnerabilities.
  • Set up your email software to filter out as much junk and spam emails as possible.  This way the employee will see less potentially malicious emails.
  • Use strong and unique passwords.  By having a different password for each account, if one of your passwords is compromised, it will prevent them from gaining access to more accounts with the same password being reused. We recommend using a password manager that can create and securely store your passwords.
  • Use an anti-phishing tool and a firewall.

Unfortunately, social engineering isn’t going away, but with employee training and proper use of the right technical solutions, you can protect your business.  A good IT Support company will have the expertise to help you assess your business’ needs and implement the best strategies.

Tags: , , , , , , ,