Social engineering is a modern-day method of attack that uses social conditioning and the naive nature of humans to infiltrate networks, gain access to systems and steal confidential information from organizations and businesses. It isn't the tech-savvy hacker who figures out how to get around the firewall and crack passwords. This is someone who uses the art of persuasion and uses it to manipulate employees - even yours! - into giving out passwords and unlocking confidential corporate and customer information.
Three Methods of Social Engineering to Look For
- Spoofed Telephone Numbers. With a socially engineered attack, one may receive a phone call with a spoofed number. A spoofed number or caller ID spoofing is the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. For example, a caller ID display might display a phone number different from the one from which the call was placed. The message from this spoofed number might be "This is Apple, and I'm calling to let you know that there is a virus outbreak in your area. I've been charged with notifying customers in the Philadelphia area. I need to log onto your phone and apply a patch." Many iPhone owners may think that because the phone call claims to be from Apple Customer Support, it's indeed Apple, and will provide their login information.
- Phishing. With this type of attack, the bad guy creates a misplaced sense of trust between themselves and the recipient by impersonating a colleague or boss well-known to the recipient in order to gain access to login information or other confidential data. Imagine an HR person receiving an email from their "boss" requesting them to send all of the W2 forms of all of the employees in the company for an audit they are doing. Thinking it's the boss, the HR person sends the files.
- Closing the Deal: A salesperson receives an email from a scammer disguised as a legitimate customer, requesting pricing for goods or services the company offers, along with a purchase order. Believing they had just made a nice new business deal, the salesperson processes and ships the order, and 30 days later, invoices are emailed. However, the email address for this bad guy no longer exists.
All of these social engineering tactics are real and happen every day. The primary defense for any company against it is ongoing education. Fraser offers training programs that provide a series of classes that will educate employees on social engineering and tell them what to look for to keep your business safe. Not only do they educate, but they also test the employees. Unbeknownst to employees, they will receive "fake" fraudulent emails. When employees click on them, the system will create a page that informs them this was fraudulent and what to look for in the future to protect themselves. The system also provides reporting for management, allowing them to track improvements and identify who may need additional training to prevent falling victim to these attacks.
Three Ways To Protect Your Business From Socially Engineered Attacks
- Reject offers of help. Legit operations don't contact you to offer help unless you specifically ask for it. When you receive an email offering to improve your credit score, help you get a loan, bring down credit card debt or something similar, consider it a scam. This also applies to requests for donations to charitable organizations with which you don't have a relationship. When you get these, delete them. If you believe it may not be a scam, call the company and ask if they are sending these service offers via email. More than likely, the answer is no.
- Set spam filters at high levels. All email programs provide spam filtering of email. Most of the time, these are available under your account settings. Set them high! Remember to check your spam folders regularly in case a legitimate email gets caught in the spam filter.
- Secure online devices. Install anti-virus software, firewalls and email filters and update regularly. Set your operating system to update automatically, ensuring that you're using the most updated version. Operating system patches are most often distributed in periodic updates. Do the same with your smartphone, and always update it when you receive an update. There are even anti-phishing tools you can use from third parties.
Today's socially engineered attacks are really no different than the old-school scams of the past. They just use technology to cast the net. At Fraser, we provide our employees ongoing training on socially engineered attacks and test often, and our employees continually raise the bar in spotting these attacks. If you value your company data, this training is imperative for all employees. Contact us today to get your company set up and protected.