You can have top-notch security in place but there is still one danger: social engineering. It’s the old kid on the block, but most of us have never heard of it. Perhaps the more familiar term is ‘con’: the art of manipulating people to take certain actions or divulge private information. Social engineers are a special type of hacker who skip the hassle of writing code and go straight to the weakest link in your security defenses – your employees. This is one security threat that can not be fully mitigated through technology, only training! A phone call, a cheap disguise or casual email may be all it takes to gain access, despite having solid tech protections in place. Here are just a few examples of how social engineers work:
Email: Pretending to be a co-worker or customer who ‘just quickly’ needs a certain piece of information. It could be a shipping address, login, contact or personal detail that they pretend they already know, but simply don’t have in front of them. The email may even tell you where to get the data from. The hacker may also create a sense of urgency or indicate a fear that they’ll get in trouble without this information. Your employee is naturally inclined to help and quickly sends a reply.
A great current example of this is a fake email from the boss instructing an assistant to wire money to a certain account number. The assistant may be wary of bothering the boss or maybe just too busy to confirm the request, so they just do it.
Phone: Posing as IT support, government official or customer, the hacker quickly manipulates your employee into changing a password or giving out information. These attacks are harder to identify and the hacker can be very persuasive, even using background sound effects like a crying baby or call-center noise to trigger empathy or trust. To avoid this scam, you need to make sure that your employees stick to a protocol of authenticating the person on the other end of the line when giving out sensitive information no matter what!
Anecdotally, we recently were able to reset a customer’s AOL password simply because the customer on the other end of the line was very distressed sounding. The AOL rep got their manager on the line who overrode the requirements to verify identity first. We were doing this honestly, but an attacker could very well take advantage of this weakness to take over your AOL account!
In person: A delivery man uniform gets past most people without question, as does a repairman. The social engineer can quickly then move into sensitive areas of your business. Once inside, they essentially become invisible, free to install network listening devices, read a Post-it note with a password on it, or tamper with your business in other ways. I have seen this one first hand. I have been able to walk right past receptionists wearing my work uniform with no questions asked!
It’s impossible to predict when and where (or how) a social engineer will strike. The above attacks aren’t particularly sophisticated, but they are extremely effective. Your staff has been trained to be helpful, but this can also be a weakness. So what can you do to protect your business? First, recognize that not all of your employees have the same level of interaction with people, the front desk clerk taking calls all day would be at higher risk than the factory worker, for example. We recommend cyber-security training for each level of risk identified, focusing on responding to the types of scenarios they might find themselves in. Social engineering is too dangerous to take lightly, and far too common for comfort.