Social engineering is a modern-day method of attack that uses social conditioning and the naive nature of humans to infiltrate networks, gain access to systems and steal confidential information from organizations and businesses. It isn't the tech-savvy hacker who figures out how to get around the firewall and crack passwords. This is someone who uses the art of persuasion and uses it to manipulate employees - even yours! - into giving out passwords and unlocking confidential corporate and customer information.
Three Methods of Social Engineering to Look For
- Spoofed Telephone Numbers. With a socially engineered attack, one may receive a phone call with a spoofed number. A spoofed number or caller ID spoofing the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. For example, a caller ID display might display a phone number different from that of the telephone from which the call was placed is. The message from this spoofed number might be "this is Apple, and I'm calling to let you know that there is a virus outbreak in your area. I've been charged with notifying customers in the Philadelphia area. I need to log onto your phone and apply a patch." Many people, as iPhone owners, may think because the phone call says it's from Apple Customer Support, that it truly is Apple, and will provide their login information.
- Phishing With this type of attack, the bad guy creates a misplaced sense of trust between themselves and the recipient by impersonating a colleague or boss well known to the recipient in order to gain access to login information or other confidential data. Imagine an HR person receiving an email from their "boss" requesting them to send all of the W2 forms of all of the employees in the company for an audit they are doing. Thinking it's the boss, the HR person sends the files.
- Closing the Deal A salesperson gets an email from a bad guy disguised as a legit customer, requesting pricing for goods or services the company offers, along with a purchase order. Believing they just made a nice new business deal, the salesperson gets the order processed and shipped, and 30 days later, invoices are emailed, only the email for this bad guy no longer exists.
All of these social engineering tactics are real and happen every day. The primary defense for any company against it is ongoing education. Fraser offers training programs through KnowBe4 that provides a series of classes that will educate employees on social engineering and tell them what to look for to keep your business safe. Not only do they educate, but they test the employees as well! Unbeknownst to employees, they will receive "fake" fraudulent emails, and when employees click on them, the system will create page that tells them this was fraudulent and what to look for in the future to protect themselves. The system also provides reporting for management so they can track improvement against falling for these attacks, as well as who may need more training.
Three Ways To Protect Your Business From Socially Engineered Attacks
- Reject offers of help. Legit operations don't contact you to offer help unless you specifically ask for it. When you receive an email offering to improve your credit score, help you get a loan, bring down credit card debt or something similar, consider it a scam. This also applies to requests for donations to charitable organizations that you don't have a relationship with. When you get these, delete them. If you believe it may NOT be a scam, call the company and ask them if they are sending these services offers out via email. More than likely, the answer is no.
- Set spam filters at high levels. All email programs provide spam filtering of email. Most times these are available under your account settings. Set them high! Remember to check your spam folders regularly in case a legit email gets caught in the spam filter.
- Secure online devices. Install anti-virus software, firewalls and email filters and update regularly. Set your operating system to update automatically, ensuring that you're using the most updated version. Operating system patches are most often distributed in periodic updates. Do the same with your smartphone, and always update when you receive an update to do so. There are even anti-phishing tools you can use from third parties.
Today's socially engineered attacks are really no different than the old-school scams of the past. They just use technology to cast the net. At Fraser, we provide our employees ongoing training on socially engineered attacks and test often, and our employees continually raise the bar in spotting these attacks. If you value your company data, this training is imperative for all employees. Call us today so we can get your company set up and protected.