Social Engineering is the art of manipulating victims to give up confidential information. Attackers employing these techniques take advantage of human traits such as trust and instinct – they will take the time to study their victims, relying on the wealth of information available across the internet, specifically social media in the hope of tricking them into thinking they are a reputable source.
Social Engineering usually occurs through three routes.
The Tradesmen
Criminals often try and mask themselves as a tradesman when trying to gain entry to a property. Your business may get daily visits from maintenance people to fix lights, toilets etc, so how do you know when such people are legitimate and who are trying to gain access to your business?
A good first port of call is to give each of your team a swipe card or key fob to gain entry to your buildings. This allows you to identify who should be there and who shouldn’t be – anyone trying to gain entry without a key card can be easily identified and questioned. Make sure all staff are trained on how to spot suspicious activity and keep a log of who comes and goes from your premises.
The Quick Printer
If you fail to recognise the tradesman from above and have already let him in to complete some ‘work’, try to make sure any visitors whereabouts are known at all times. Say you have someone walking around your premises claiming to be completing some electrical works and they ask if they could hop on a computer to print out your invoice.
As soon as someone obliges and leaves said person sat at one of your workstations, they have immediate access to your businesses network and all of the confidential information on it. If you are convinced that the person claiming to be an electrician is legitimate, you should still take care when letting them onto your network. Never leave them alone with a workstation and ensure you log the machine out once they are finished.
The Rogue Employee
It might not be someone from outside your business who is there to cause damage – you could find them within. All it takes is one wrong hire and you could be left with a malicious employee whose sole intention is to steal your businesses data. To mitigate against the risk of a rogue employee it is essential to include a comprehensive background check of any new starter, along with solid references.
Attackers have unfortunately now evolved to not only target you in-person, but now also over the phone.
The Panic Call
Much like phishing attacks where the attacker will play on the need for urgency to make you give up sensitive information, attackers employing social engineering over the phone will play on our human response to panic. These calls may present a scenario along the lines of – ‘We need you to give us this number from the back of your internet hub so that we can gain remote access. Attackers are tying to enter your network right now and so this is a matter of urgency’.
When presented with a call like this, alarm bells should be ringing. It is very unlikely that your internet provider will alert you to potential attacks and even more so that this will be done over the phone. If receiving a call like this you should hang up and contact your internet provider straight away.
The Please Donate Call
You might receive a call from someone pretending to be from a known charity like Oxfam or Cancer Research. These calls are very rare and have two main motivations. 1) to steal your credit card information or 2) to get the victim to transfer a sum of money away from their account.
Much like the panic call, major organisations are highly unlikely to contact you in this way. If you do receive a call of this nature, we strongly advise terminating the call and under no circumstance should you give credit card information. If you want to donate to charitable causes it is best to go to them directly.
The Vishing Call
Vishing, or ‘voice phishing’ are the voice version of phishing emails. Like their digital counterpart the aim of a vish is to trick the victim into entering sensitive information such as a password or credit card information. These calls are usually pre-recorded and pretend to be from your bank, asking you to call a specific number to confirm your account and transactions.
When phoning this number you may be asked to key in things like security codes, passwords and so on which can be used by the attackers to gain entry to your accounts. We strongly advise terminating these calls and contacting your bank’s customer services team directly. We also strongly advise never phoning a number which has been given to you over the phone. Recently there has been a rise in premium rate numbers which could see you being charger over £100 per minute should you choose to phone them.
The most alarming trend we have seen when it comes to social engineering however is the rise of online tactics.
The Social Media Route
As more and more of us continue to use social media to post updates about our lives, we are ultimately giving attackers a wealth of information about us which can be used to target us with attack methods such as phishing and so on.
Some cyber criminals will use their victims social media accounts as an insight into their lives. They get to know what is important to them, what makes them tick and who their closest friends are. They can then use this information to target specific individuals. For example if you received an email from what looked like your best friend asking for money as they are in financial difficulty, if it is normal for that particular friend to contact you via email you may well oblige to the request and transfer the attacker a large sum of money.
We suggest ensuring your privacy settings are up to date so that only those you have accepted can see what you store on your profile.
The Phishing Email
Phishing emails tend to appear to come from a trusted source, usually someone in a position of authority with the aim of stealing valuable information. These attacks can be highly targeted to a specific victim or group of individuals and may even appear to come from someone within your business, perhaps asking for early payment of an invoice or asking for account passwords. As mentioned these attack methods are often underpinned by prior research from the attackers, usually using social media.
Make sure your team are aware of phishing tactics and always encourage them to check the email address of the sender – most of the time it can be the difference of one character within an email address that can make your employees believe it has come from a trusted source, e.g. www.peypal.com vs www.paypal.com. You should also encourage them to make use of the educational materials found at www.complete-it.co.uk/blog/
You Can Combat Social Engineering
1) Underpin your operations with a reliable disaster recovery and business continuity solution. Should attackers steal valuable data you can recover it with a solid backup solution.
2) The only way to be sure that your teams know what social engineering is and the attack methods it underpins is to train them, and train them regularly.
3) Ensure you have an incident response team in place. In the event of any of these tactics working and hackers do gain entry to your business, your incident response plan will be a crucial document to ensure you experience minimum downtime.