Social Engineering: Are Your Employees Prepared?

Social Engineering, by Oxford definition, is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” This devious approach to acquiring information is often overlooked because it can range from a polite five minute “sales” call to a more in-depth, multi-prong scam involving several of your employees and a team of scam artists.

It’s common to hear about scams that take advantage of the elderly or flood your inbox—but did you know that businesses are common targets for these thieves as well? Think about how you run your business and communicate with your customers: e-mail, phone, in-person conversation. Social engineering takes advantage of these communication streams, and often an honest employee, and leaves everyone at your business vulnerable. The good news is, with a little education and support, your employees can be aware of social engineering tactics and how to overcome them.


Digital Tactics
Take your time and really think.

E-mail is a perfect, easy tool for social engineers to target everyone (phishing), or one specific person (spear phishing) at a business. It can be widespread and anonymous or on-point and very familiar. Sometimes posing as vendors or networking contacts. E-mails can be manipulated to look like they are from a trustworthy source (familiar name/company, logo, layout, etc.), but it can all be a facade to get you to react and trust quickly. Here are some questions your employees should ask themselves to help slow down their reaction time and identify red flags in e-mail communication:

  • Am I expecting this type of email and do I recognize who this is from? Watch spelling, scammers try to mock common websites or company names with slightly altered spelling.
  • Does this email apply to my job? Yes, you may have a personal social media account, but did you use your work e-mail address when you signed up for that account? Hopefully not! Since people manage multiple e-mail accounts, it can get confusing. Make sure you recognize which e-mails are appropriate.
  • Use your mouse and hover over links. Is the address it shows the same address it states it will take you to? Example: Your password is about to expire for XYZ Bank and you must change it now or you will lose access to your account. But when you hover over the link it does not take you to the real address, but to or something else unrecognizable.
  • The emails are usually designed with a sense of urgency. This is to catch you off guard and have you react before you think. They also can be sent at the end of normal business days to have the same effect. You are trying to leave the office and an e-mail comes in late in the day, so you just click to see what it is before you go home.
  • Is there an attachment? Opening an attachment infected with a virus can quickly affect the entire company, your company’s security, and your customers’ information.


Phone Tactics
Do you really know who is on the other end?

Social engineering that creates a fake scenario is called “Pretexting.” This happens a lot over the phone. Imagine this happening at your business: A call comes in and someone claims to be from the IT department within your organization. They start to ask questions and extracting information. It’s often done very stealthily. The “IT department” impostor may instruct you to verify yourself by asking for your user ID and/or password (which they then can use if they get access to your company systems). They may also try these pieces of information in other systems (people tend to use the same user IDs and passwords for multiple systems). If you use the same user ID and/or password for your email, they can compromise that to gather more information about you as well as compromise your contacts and start to phish them. All the while, you are continuing on with your normal work day.

Another example is when the impostor pretends to be an outside sales professional. They call, and through a few innocent questions, gather system information such as which applications your business runs. This information is then used to look for vulnerabilities in those applications, and exploitation of those vulnerabilities may lead to internal system and information access.

Or they can call with anger, authority, or urgency to put you into panic mode. Remember, remain calm, get their phone number to call back, and research the call before you give any details.


In-Person Tactics
They don’t always hide or look like you think.

In-person attacks can look very different. It can take the form of someone “piggybacking” into a restricted area with someone in front of them that had proper credentials. Sure, you want to be kind and hold the door, but scammers depend on it. Or perhaps someone who claims to be with the phone or cable company. Would you let them in? Anyone looking to gain access to a restricted area will have a form of ID, which you should verify. Your co-workers will be glad you did.

It can also take the form of USB drives found in the parking lot and the curiosity to see what is on that drive is hard to resist. Want to see what’s on it? Don’t. Resist. You must to protect your computer’s data and information.

How about information you throw away? Papers and files that are thrown away can be retrieved from your garbage as it sits outside to be picked up. Details on vendor bills or communications with co-workers can be used for pretexting or e-mail scams later. Scammers will use whatever they can find to help themselves look familiar and fly under the radar.


Education is key to protecting information and empowering your employees.

Your customers depend on you and your employees to protect their information that was shared with you in good faith to do business. Your reputation can depend on everyone in the organization thinking about how they interact with people across all types of communication. Prepare and educate your teams—you never know who the next caller may be or where the next e-mail may come from.