Social Engineering is the art of exploiting human psychology to gain access to data, systems, or buildings. Have you ever received an email saying your computer needs critical system updates? Or perhaps you received a call from the ‘government’ stating you owe money? These are social engineering tactics designed to manipulate a person’s feelings so they are willing to give away private information or provide access to sensitive data.
How dangerous can it be?
Social Engineering preys upon victims’ fears – Fear that a bill is past due, or fear that a critical system update is needed so credentials must be entered. Malicious actors strike without discrimination whether it’s an entry-level employee who clicks on a malicious link from a sender they think is a coworker, or an impersonated CEO who sends a request to accounting asking them to wire funds to a specified account.
Real life examples are commonplace. In a notorious 2016 social engineering campaign, Russian-sponsored hackers tricked Hillary Clinton’s campaign manager, John Podesta, with a fake ‘account reset’ email appearing to be from Google. Podesta fell victim, giving the threat actors access to campaign emails which were consequently leaked, possibly shifting the presidential election.
Even in 2020, an ongoing scam involves a malicious actor sending an email to a targeted Office 365 user, asking them to open a OneDrive or SharePoint file. When the victim clicks the enclosed link, they are directed to a fake O365 login page where their credentials are captured. This scam can provide hackers access to personal or customer data, financials, and potentially to a business’s entire system.
Training Employees is Key to Success
People are the first line of defense when it comes to securing your business, so make sure they are trained to identify social engineering when it hits and take appropriate action. You can generate test phishing campaigns, provide social engineering tutorials, or hire a cyber security company that specializes in social engineering to assess your company’s vulnerabilities.
Even if you have invested in defensive technologies and have security policies and processes in place, all it takes is one unsuspecting employee to inadvertently put it all at risk.
- On the phone – Employees should be aware of vishing and be trained to identify imposters (ie a ‘developer’ calling to update a computer and asking for user credentials).
- In the office – Your employees may not want to appear rude, so it’s natural to hold the door open to a secure area for a ‘contractor’ who forgot their key card and inadvertently let a hacker gain access to your internal network.
- Online – A malicious actor may imitate a coworker and email unsuspecting employees who download ransomware.
While social engineering attacks are imminent, security awareness training for you and your employees is the number one way to prevent security breaches. You can then focus on also implementing technical controls to combat the additional risk from someone inevitably clicking a link. Employees should be aware that social engineering exists and be familiar with commonly used tactics to extract information. An information security consulting firm like Intrinium can conduct social engineering exercises and offer tools to build employee awareness and protect your business.