Recently, a firm owner said, “We aren’t a target for cybercriminals. We don’t have medical records or credit card numbers. We use a cloud solution for human resources, so we don’t even have our employees’ social security numbers on-site.” When I asked about his pricing structure, proposals, estimates and contact information for his personnel and subcontractors, he confirmed that he considers that private information. I queried further and asked if they had experienced any recent security issues, such as odd emails, unusual requests for wire transfers or trouble with malware. He eyed me suspiciously and then showed me an email he had forwarded to his accountant requesting a wire transfer. Fortunately, his accountant called him to ask about the unusual request, and the company was not financially impacted by the attempt.
While personal information records are highly sought after by cybercriminals, they can monetize almost any piece of information easily compromised by you or your organization. Anything and everything that a cybercriminal can easily compromise can be sold, ranging from real email addresses, personal information and business records to compromised computers and websites. If an attacker specifically targets you, if they have the resources and if they are patient enough to wait for an opening, they dramatically increase the chances of getting what they want. Technical exploits by hackers can have a sense of wonder about them, but most cybercriminals are utilizing simple methods to get you and your employees to willingly provide them what they want.
Cybercriminals use methods that take advantage of our natural tendency to trust. Cybersecurity professionals refer to these as social engineering attacks, but they are really the same confidence scams that are as old as human history. Some of these scams use technology, but they can involve phone calls, fake websites, emails asking you to wire money or even in-person visits to your workplace. So how do you keep you and your organization off of the easy-to-compromise list?
Social Engineering Methods
First, it is important to understand the type of attacks and then take measures to protect you and your organization. Most are familiar with phishing emails, designed to get you to launch an attachment, click on a link or make contact with the con artist. Some have even heard of “spear phishing,” where a specific person or position within an organization is targeted using social media and public information sources to gather information about the target, customizing the email so it is more believable to the victim. But cybercriminals are clever and use a variety of methods to get what they want. Other forms of social engineering include:
- Tailgating—Used to gain physical access to a building or site, the perpetrator follows close behind an authorized employee or contractor so they never have to use keys, a card or access codes. They just grab the door before it closes to gain physical access. Clever cybercriminals will create a diversion (like having arms too full to open the door) and sway others to hold the door open for them.
- Shoulder surfing—Multiple variants exist. One involves using the authorized person to block the view of the guard or receptionist. Another variant involves standing close enough that they can watch someone enter a PIN or a password, so it can be used later.
- Pretexting—This involves pretending to have a legitimate need for the target’s information. Often performed over the phone, there have also been a number of instances in which pretexting used a combination of email, in-person discussions, websites, faxes or even standard mail. The goal is to pose as a vendor, contractor, a potential client or even a delivery person to get the target’s login, passwords or other sensitive information.
- Business email compromise—Coined by the FBI, this is a version of spear phishing with the specific goal of getting the victim to wire money to the criminal. The criminal either takes control of the owner’s email address, or more often, they create a fake email address closely resembling the original. The email says there is an urgent need to wire money to a specified account as soon as possible. If it works once, they ask for more money or credentials to wire the money themselves so they can completely clean out the accounts. The FBI reported that from October 2013 to August 2015, more than $747 million was defrauded from United States victims alone.
- Ransomware—Security professionals around the world have been warning about ransomware for several years. Ransomware is software attached to a phishing email, available from a website link or packaged with some other “free” software. Once the victim runs the executable file, it encrypts all the documents, spreadsheets, presentations and other files connected to the computer (including network drives and external drives) and then displays a notification telling the user to deposit Bitcoins in a specified account to get the decryption code to unlock the computer. There is often a time limit. If the ransom isn’t paid, then the encryption keys are destroyed, so your data can never be recovered.
What You Can Do
Most of the major breaches reported in the press during the last 3 years can be traced back to a social engineering attack. If major retailers, entertainment companies, health care organizations and service companies with millions of dollars invested in technology can be compromised, what can you do? Social engineering takes advantage of human trust, and smaller organizations often have an easier time addressing training and trust issues. Here are a few ideas for reducing the risk from social engineering:
- Knowledge—Know what you consider sensitive information that your organization creates, processes or stores. Know who should have access and how your information system’s environment is protected.
- Internal controls—Implement internal controls to protect your financial systems from fraudulent transactions or at least detect them if they occur. For example, many businesses use some form of dual control in their payment systems. One employee might prepare a payment or wire transfer, but the transaction requires the approval of another person inside the company.
- Training—Take time to train your team about social engineering and security risks. Cultivate a “trust, but verify” approach and encourage employees to be skeptical about callers asking for information or order confirmations. If the contact is legitimate, they will not mind verifying their identity.
- Culture—Encourage a culture in which it is considered good to report attempts to reinforce training and identify issues early.
- Technology—Use technology to your advantage. Solutions exist to inspect emails and attachments, protect end-user systems, block connections to known bad sites and log security information. Remember, though, that technology is only part of the solution, not the solution itself.
- Vigilance—Evaluate your security, test user knowledge and assess the people, processes and technology you use to protect your environment on a regular basis. Use the information from the assessments to update and improve your environment. Security is an ongoing process.
Technology advances continue to break down geographic barriers, enable new business opportunities and improve efficiency, but they also increase risk.
Social engineering attacks take advantage of the technology while exploiting human weaknesses. The threats are present, and the risks are real, so address them using the appropriate combination of the above recommendations that best fit your environment.