The Dangers of Social Engineering
You’ve worked hard to secure your business from threats. You have firewalls, an Intrusion Detection System, excellent policies, trustworthy staff, and frontline security. All safe? Not necessarily.
Social engineering is posing a legitimate threat to businesses and data across the country. In fact, it’s now the criminal hacker’s primary method of attack.
Social engineers use age-old techniques to commit high-tech crimes. They lever the vulnerability of people to gain access to buildings and systems. A social engineer will do everything from posing as an employee who forgot their badge to using a false LinkedIn account to send malicious emails to employees. They take advantage of human kindness and the hesitancy to question things that seem a bit ‘off’ to gain access to even the most secure areas of an organisation.
Where Are You Vulnerable?
Social engineers manipulate people to gain information that is used for malicious purposes. They often use a combination of online research and personal interactions to discover everything about your organisation; from employee names and roles to suppliers, dress codes, phone numbers, email addresses, and even the next employee birthday. They use this information to penetrate the work site, access sensitive information, and exploit the organisation.
Anywhere with a human link is a vulnerability with potential for social engineers. Phone lines, staff entrances, smoking areas, social networking sites, tech support needs, corporate charity programs, company emails, and all other human contact points represent risk.
Here are just a few of the ways social engineers work:
- Blagging/bohoing: a false story (often elaborate and appearing authentic) is used to gain information from an employee such as banking information, company records, etc. and make financial changes, transfer funds, give authorisation, or other activities
- Phishing: using an email address that appears legitimate to demand confidential information or face serious consequences, or to implant a malicious code. This can sound like a court notice to appear, a fake delivery notice with a tracking link, or even an apparent Facebook message with a tempting link.
- In person: someone may appear to have forgotten their access card and ask to be let into the building. They may have a company name badge, and look and sound like they belong. Once inside they made proceed to let others in, access sensitive information, and download malware on company computers.
What Can You Do?
Awareness is an important defense. Inform all your staff of the risks from social engineering, and how criminals may try to gain information from them. This includes everyone from the CEO to the night cleaner. Give them permission to ask questions when something doesn’t seem right, to say ‘No’ when some claims to have forgotten their badge and wants access, and to exercise caution when connecting through sites that offer any workplace social media links and groups.
Social engineering scams are constantly evolving, so regular updates are essential. Keep your staff informed and protected. Ensure your systems are up-to-date with protective programs but understand that all actions are not a certain guarantee against an attack.