Social Engineering: Can You Be Too Nice?
Hackers use social engineering to gain access to your sensitive data, systems and facilities. What are the common types of attacks, and how can you stay safe?
Kevin Mitnick, one of the most-prolific hackers of the 20th Century, spent some time in prison in the 1990s after eluding the FBI for years. Today, Mitnick uses his hacking prowess to help businesses protect their networks from modern digital dangers — as well as a threat that’s been around for decades.
Social engineering refers to obtaining sensitive information through manipulation or deception. Your organization may have extensive security to protect your proprietary data, including the right firewalls, antivirus protection and password best practices. But today’s hackers may break through your defenses using a weakness you might not expect: your basic human decency.
What are the primary forms of social engineering, and how can you avoid becoming a victim? We asked three leading IT service professionals to share their insights.
Types of Social Engineering Attacks
Rather than using technical means of hacking into computer systems and networks, social engineering incorporates knowledge of human emotions and psychology to gain access to data, computer systems or even secured areas of buildings.
Social engineers may use any of a variety of techniques — or a combination — to target your employees, according to Bill Tobey from North Carolina IT company, HitsTech. Frequently used techniques include:
- Visiting your office in person. A social engineer may use tactics such as dressing as a delivery person and asking an employee to hold the door as they leave the building. Adept criminals using social engineering techniques may spend months researching your business and your sites to find a way inside.
- Contacting you by phone or emailing you. Social engineers often use the phone or email — via phishing attacks — to pose as an employee or as someone with authority, such as a government auditor or a police officer.
- Leveraging your online presence. Social networking has provided an easy way for social engineers to gather information and stage their attacks. Through platforms like Facebook and LinkedIn, would-be criminals can gather detailed information that may prove useful in an attack against your organization.
Social engineers also may use holidays, breaking news, pop culture or personal details gained from social media to fool victims. Armed with the right information, a social engineer may succeed in targeting one of your employees and persuading them to complete an undesirable action — such as installing a piece of ransomware or sharing sensitive data.
Preventing and Responding to Attacks
Earl Foote, a cybersecurity specialist with Nexus IT in Park City, UT shares, social engineering attacks come in many flavors, but one should be of particular concern for executives: scams that compromise business email. Through social engineering techniques — such as targeting your IT services provider — an attacker may gain access to the email account of your CEO or other top executives. With access to that important email account, the scammer can wreak havoc in a number of ways, including contacting employees to request financial transactions.
What actions can you take today to minimize the chances of a potentially damaging social-engineering attack? The top method for thwarting social engineers is educating your employees about the dangers. Make sure your team members understand common social-engineering tactics as well as your organization’s authentication requirements online, over the phone and in person.
Social engineering attacks often work because the criminal appeals to the basic decency of the victim. By posing as a new employee in need of a login or a team member who has lost their ID badge, for instance, attackers may gain the sympathy of employees, who then let their guard down.
In addition to educating your team, Lance Stone, from On Time Tech in San Francisco says, consider conducting a formal review of your existing procedures for important business functions, including financial transfers. By implementing measures such as separating duties among several employees, you gain extra protection against financial loss. You also may consider whether urgent requests — even from the email account of the CEO — should trigger additional safety checks before taking action.
As you review your procedures, take a look at your process for responding to incidents of phishing and other incursions into your online systems or physical facilities. By seeking out potentially vulnerable processes — and making team members aware of the potential costs of being too trusting — you may head off costly social engineering attacks.
Photos courtesy of gettyimages.com