Today, social engineering is recognised as one of the greatest security threats facing organisations of all sizes.
Social engineering involves psychological manipulation and human interaction. It is an attack that centres on fooling unsuspecting employees into revealing confidential information or performing some action, like clicking on a link or transferring money. The request usually includes some violating of the organisation’s security policies and procedures.
Social engineering takes many forms. It often begins with a phone call or an email, but can also include text messages and even in-person dialogue. The attacker will attempt to establish legitimacy and gain the confidence of the employee by pretending to be a superior, like your company’s CEO, a co-worker at a remote office or a vendor or contractor.
Once the attacker has established credibility, which may take multiple contacts, they will ask for something, usually with a sense of urgency leading the victim (your employee) to promptly reveal sensitive information. Requests can be as simple as “I just need” something—someone’s schedule, a password, a username, PIN or even access to a building. Clicking a malicious link or opening a malicious file in an email can grant the attacker remote access to your network where they can access bank accounts, customer information, employee records and other corporate data. Requests can also be more blatant in terms of asking for payment for services or credit card information.
While it may be time-consuming and expensive, your staff needs to be trained and regularly retrained on what red flags to look for and how to report suspicious activity. More and more organisations are finding that educating employees about threats is more effective and important than hardware and software defences.
Training can include teaching employees to be wary of unsolicited communications. They need to know how to verify that a caller asking for information is really a co-worker by getting their number from the company directory and calling them back. The same tactic can be used when requests come from so-called vendors. If it’s a legit communication, the caller won’t mind.
Teach employees simple methods to recognise threats such as mouse-overs and how to reach an email address or domain name. Look for links in emails with misspelled URLs, such as blackb0x.com. Other tip offs are poor spelling and grammar, an offer that seems to be too good to be true or even a threat if the request isn’t met. Employees shouldn’t click on any suspicious email or link and may want to forward it to an information security mailbox.
Don’t forget social media either. Employees access Facebook, LinkedIn and Twitter from their mobile devices and work computers. Social media is so easy to use, people lower their guard. It’s really a no-trust environment. It’s too easy for employees to share too much information on public websites. Establish social media ‘Do and Don’t’ training to teach users how to protect themselves—and your company.
People are the weakest link in your company’s security program because they’re generally trusting and helpful. This basic human nature is the vulnerability that is exploited in a social engineering attack. Based on findings from security engineers and penetration testers, social engineering is often the easiest way into an organisation. It’s up to you to make sure employees are aware of the dangers.