As James Cagney would say, “You dirty, double-crossing rat.” That’s the sentiment businesses feel after falling for “social engineering” tactics. Social engineers pretend to be someone they’re not in hopes that you fall for one of their ploys. They use tactics to “engineer” their way inside your organization. For example, claiming to be a prospect, they may send you an email that convinces you to click on an attachment or a link inside the email. Doing either may surreptitiously download malware onto your computer.
Here’s an example of how social engineering works. An attacker sends people at your business an email posing as a prospective customer. The email might say, “Our company is thinking about doing business with you. Please review our attached needs and let me know which type of solutions you would recommend and what the cost would be.” Once receivers click on the document, they inadvertently download malware onto their computer. Once their computer is infected, most likely soon the network will be too.
Social engineers often use “social networking” to engineer an attack. The attackers use networking sites like LinkedIn or Facebook, where users often name the companies they work for. Then, attackers find the company emails for those people and send them emails like the one mentioned above. Or, attackers could send an email with a malware link or attachment that looks as if it were sent from an actual employee. For example, attackers could send employees an email that looks as if it were sent by someone in the accounting department, asking people to click on a link to update their home contact information. Once people click on the link, a box pops up with fields for a home address and phone number. This looks like a valid request, so people complete the fields and no one questions it. Actually, the sender just had people click on the link because that caused malware to be downloaded onto their computers.
Although social engineering often ultimately leads to a cyber attacks, it may not start out that way. It may start with someone pretending to be a customer or the CEO’s friend, telephoning your company and tricking someone to give out information they should not be divulging. Or, someone could pretend to be a repair person and gain access to the office and locations only authorized people should be.
The Effect on Business
Businesses of all sizes are at risk for cyber attacks. Although smaller businesses I speak with think they are not as vulnerable as the big players, they are. Attackers often target smaller businesses to perfect an attack before launching it on larger ones. Attackers will also invade a small business network to get access to its customers and to its business partner networks. Many of these attacks start with social engineering.
Antivirus software and devices may be able to block malware coming from outside your network, but if someone gains access to a computer inside the network, it’s easy to become infected. Most employees don’t expect someone they see inside an office doing any type of work to be a bad actor. Usually, if someone inside an office asks someone else there for help, they are eager to provide it. They aren’t trained to be suspicious.
Prevention Worth a Pound
Although many organizations have extensive security policies in place and provide some training to employees, in almost every social engineering assessment we conduct, our security consultants are successful in accessing the customer’s premises or gaining sensitive information.
You can help prevent social engineering by teaching your employees the following security tips:
- Provide clear guidance on employee behaviors that protect corporate information, i.e. screen-lock workstations and not allowing anyone to “piggyback” into a building or room.
- Don’t accept friend requests on social networking sites from people you don’t know just because they are “friends” of your friends.
- Keep your Facebook account on Private settings, so neither the public nor friends of friends can see your posts.
- Share real examples of phishing emails your business has received.
- Present examples of social engineering techniques cyber criminals use, which include suspicious phone calls asking about employees and “repair people” trying to get onto a company computer.
- Promote a culture that politely, but firmly, questions unusual activity and policy violations.
- Consistently train staff on cyber security via meetings and emails.
- Engage a third party to execute a social engineering assessment and determine how well your anti-social engineering policy and education is working.
- Test how well your employees respond to various social engineering approaches. Will they provide sensitive information in response to telephone and email enquiries? Will they help the “guy” who forgot his badge get into the building? Will they plug in the novelty chocolate bar- shaped USB stick given to them for ‘free’ by the nice woman at the tradeshow they attended?
- Publish the results internally and tell people what they can do to improve
- Establish a routine of regular social engineering assessments to provide clear metrics on the effectiveness of your employees to rebuff real and simulated social engineering threats.
It would be nice to be able to trust everyone, but when you don’t “trust but verify,” you often end up communicating with a rat. And that stinks.
Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs. For more information on securing your organization, please contact firstname.lastname@example.org  and write “Social Engineering” in the subject line.
Although social engineering often ultimately leads to a cyber attacks, it may not start out that way. It may start with someone pretending to be a customer or the CEO’s friend, telephoning your company and tricking someone to give out information they should not be divulging.