Social Engineering, by Oxford definition, is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” This devious approach to acquiring information is often overlooked because it can range from a polite five minute “sales” call to a more in-depth, multi-prong scam involving several of your employees and a team of scam artists.
It’s common to hear about scams that take advantage of the elderly or flood your inbox—but did you know that businesses are common targets for these thieves as well? Think about how you run your business and communicate with your customers: e-mail, phone, in-person conversation. Social engineering takes advantage of these communication streams, and often an honest employee, and leaves everyone at your business vulnerable. The good news is, with a little education and support, your employees can be aware of social engineering tactics and how to overcome them.
E-mail is a perfect, easy tool for social engineers to target everyone (phishing), or one specific person (spear phishing) at a business. It can be widespread and anonymous or on-point and very familiar. Sometimes posing as vendors or networking contacts. E-mails can be manipulated to look like they are from a trustworthy source (familiar name/company, logo, layout, etc.), but it can all be a facade to get you to react and trust quickly. Here are some questions your employees should ask themselves to help slow down their reaction time and identify red flags in e-mail communication:
Social engineering that creates a fake scenario is called “Pretexting.” This happens a lot over the phone. Imagine this happening at your business: A call comes in and someone claims to be from the IT department within your organization. They start to ask questions and extracting information. It’s often done very stealthily. The “IT department” impostor may instruct you to verify yourself by asking for your user ID and/or password (which they then can use if they get access to your company systems). They may also try these pieces of information in other systems (people tend to use the same user IDs and passwords for multiple systems). If you use the same user ID and/or password for your email, they can compromise that to gather more information about you as well as compromise your contacts and start to phish them. All the while, you are continuing on with your normal work day.
Another example is when the impostor pretends to be an outside sales professional. They call, and through a few innocent questions, gather system information such as which applications your business runs. This information is then used to look for vulnerabilities in those applications, and exploitation of those vulnerabilities may lead to internal system and information access.
Or they can call with anger, authority, or urgency to put you into panic mode. Remember, remain calm, get their phone number to call back, and research the call before you give any details.
In-person attacks can look very different. It can take the form of someone “piggybacking” into a restricted area with someone in front of them that had proper credentials. Sure, you want to be kind and hold the door, but scammers depend on it. Or perhaps someone who claims to be with the phone or cable company. Would you let them in? Anyone looking to gain access to a restricted area will have a form of ID, which you should verify. Your co-workers will be glad you did.
It can also take the form of USB drives found in the parking lot and the curiosity to see what is on that drive is hard to resist. Want to see what’s on it? Don’t. Resist. You must to protect your computer’s data and information.
How about information you throw away? Papers and files that are thrown away can be retrieved from your garbage as it sits outside to be picked up. Details on vendor bills or communications with co-workers can be used for pretexting or e-mail scams later. Scammers will use whatever they can find to help themselves look familiar and fly under the radar.
Your customers depend on you and your employees to protect their information that was shared with you in good faith to do business. Your reputation can depend on everyone in the organization thinking about how they interact with people across all types of communication. Prepare and educate your teams—you never know who the next caller may be or where the next e-mail may come from.