When we talk about cyber security, most people think of the protections we put in place for networks. Lots of cables, firewalls and invisible defences, all to keep out the scary world of hackers. While that is not incorrect, it’s not all we do. Information security is also about protecting the most at-risk element of a business from exploitation and attack - its people. People at the very nature want to help others and this can often leave them open to making mistakes or giving out information they shouldn’t. Hackers will often start by targeting a business through their people something called social engineering.
Don’t know what that is, or why it matters? Read on…
What Is Social Engineering?
Social engineering is basically a way for hackers and criminals to use the people inside your organisation to access the information they want. It’s defined as ‘the psychological manipulation of people into performing actions or divulging confidential information.’ Social engineering is generally used to gain access to buildings, systems or data by exploiting human psychology instead of traditional hacking techniques.
Social Engineering is incredibly dangerous and can be used for all sorts of purposes. For example, there is a famous criminal case from 2004 where a criminal used social engineering to convince a series of restaurant and grocery store managers to strip search their employees. The man on the phone claimed to be a police officer and used psychological manipulation to coerce innocent men into committing crimes and molesting young women.
That case might sound extreme, but the principle can be applied to your business. In the security world, social engineering is about convincing employees from the targeted business to divulge information they shouldn’t, or to do things like plant malware or breach security. This lets the hacker bypass your well-designed cyber protections and get right to the heart of your business.
Some Signs Of Social Engineering
Criminals who are looking to break into your business will often study it in detail, taking weeks to get to know the business, its location and its people before making their move. They will be prepared, so that when they go in, they are as undetectable as possible. It’s therefore important to know the signs of a social engineering scam. Here are just a few examples of what could happen:
By phone: A social engineer might call and claim they are a fellow employee, business partner or even a trusted authority like a police officer. They will attempt to make you comfortable with them, using familiar corporate lingo and maybe even name dropping so that you feel they are genuine. Then when they think you are convinced, they will ask you for sensitive information or to do something out of the ordinary.
At the office: ‘Can you hold the door for me? I forgot my access card/lost my keys.’ How often have you heard that in your building? It might sound harmless, but this is actually a very common technique used by social engineers to gain access to a building. They could also have obtained a company uniform, so that no one questions their presence, even if no one knows them. An experiment by noted cyber security expert Chris Nickerson, found a company shirt in a local thrift store, put it on and gained access to the cafeteria. Whilst his colleague went to hang around in the smoking area of the company’s building and, assuming he was a fellow smoking office-mate, the real employees let him in the back door with them, no questions asked. You can read more on that here.
Online: This is where we are most conditioned to expect social engineering attempts, like phishing emails and scams. But some attempts are more subtle, for example, a hacker could use the internet to research everything about the employee they are targeting. Using social networking sites like Facebook and Twitter, professional networks like LinkedIn, profiles on business websites or even networking groups; so that they have all the information they need to pretend they are someone the target knows. They can then use this information to create a tailored, unique scam email (spear phishing) , online post, or even pose as a fellow employee in a chat room, building that trust and earning their access. It’s a slow burn, but it does happen.
How Do I Avoid It?
Sounds bad, right? It is, and it’s becoming increasingly common in hacking circles. Phishing emails (which are a type of social engineering) have always been around, but now they are becoming more and more sophisticated so that it’s hard to tell if it’s a scam or not. Hackers are also using other, more creative means of social engineering to exploit businesses, so it can sometimes be difficult to spot. The best way you can avoid becoming the victim of a social engineering scam is investing in the education of your employees. Since they are the ones at risk, they need to be made aware of who could be targeting them, how they could operate and how to respond if they suspect it. Companies with a well-trained workforce are significantly less likely to fall victim to a social engineering scam, leaving the hackers to opt for more traditional routes in (which will be just as well protected).