The FBI says social engineering is designed to get you to let your guard down. It goes on to say it is a common technique criminals, adversaries, competitors, and spies use to exploit people and computer networks. Why, because it doesn’t require technical skills.
Social engineering attacks use deception to manipulate the behavior of people. The goal is to talk the person into divulging confidential, personal and protected information. When they get this information, the scammers use it to go after their final target. And the final target can be everything from sensitive data to making disparaging remarks about a person, political candidate, or even a brand.
In the past these very same criminals might have been called con artists/grifters, but the premise is the same, gain the trust of the person being scammed.
The one thing you should know about social engineering attacks is they are always evolving. For this reason, you have to train your employees on a regular basis. Because you never know what the next form of attack will be.
Some of the types of attacks which criminals use are:
Pretexting – Attackers pretend to need personal or financial information to confirm the identity of the recipient.
Water-holing – Attackers infect a website to compromise people who frequently visit that site to gain network access.
Diversion Theft – The scammers trick delivery or courier companies to drop a package to a wrong address by intercepting the transaction.
Quid Pro Quo – As the name implies attackers promise the victim something in return for information or help.
Phishing and SMishing – Phishing attacks use email and SMishing uses text messages to get the end-user to click on a malicious link or download. Considering 91% of successful attacks start out as a phishing email, it is especially important to increase awareness of these types of attacks.
Honey Trap – Attackers pretend to be an attractive person and they start a fake online relationship to get sensitive information.
Baiting – Attackers leave a device infected with malware, such as a flash drive in a place where it can be found easily. When the drive connects to a computer, it installs the malware.
These are just some of the social engineering attacks scammers use, but there are others and undoubtedly the criminals are creating new ones this very moment.
Awareness is key for protecting your business against all forms of attack, whether it is in the physical or digital world. Conversely, social engineering attacks rely on the complacency of the people they target.
With that in mind, you have to eliminate the behaviors which are responsible for any complacency in your organization. And this means going against innate traits people have, such as trust and willingness to help others. Given these points, you have to insist your employees verify, verify, verify.
The three-step system to verify a request by Kevin D. Mitnick comes from a real-life hacker and his book, “The Art of Deception: Controlling the Human Element of Security.”
At first glance, this may seem simplistic. However, if someone you don’t know is requesting some information you will know who they are if you follow the steps.
1. When someone requests some information, tell your employees to verify the person is who they claim they are.
2. Make sure they are currently working at the company or they have a need-to-know affiliation with the organization.
3. Before you give out the information, make sure they are authorized to make such a request.
With these three simple steps, your data will never be given out to the wrong person. It is worth repeating, your employees can’t be lax in following these steps or making any changes to them.
Some of the other ways you and your employees can protect yourselves and the business include:
· Your data can be used against you, so stop revealing facts about your personal life and that of the business to strangers. Be especially careful on social media channels.
· Scrutinize all email requests until you know for sure who the sender is. Remember, even the emails you receive from friends and associates could be fake.
· If you suspect the person who is trying to get information is a scammer, don’t hesitate to be stern or rude if necessary.
· Increase awareness in your organization with frequent cybersecurity training sessions and learning about the latest scams.
· Continually review the processes and procedures for important transactions.
· Don’t reuse your passwords and implement a password change policy across the organization.
The criminals are going to throw everything at your employees to overlook a step, and the second they do that; your data is in danger.
A strong and strict governance with accountability can make this work. Best of all, it won’t cost you anything.