Social Engineering in Today’s Corporate Landscape
Business owners are well aware of the threats hackers present to their companies. Budgets for software and data protection increase yearly in response to the breach, and tighter restrictions are placed upon employees to secure sensitive information. But unbeknownst to many corporate leaders, today’s biggest security threats aren’t those that require remote access to a data center—exploiting humans using social engineering has become far more damaging.
What Is Social Engineering?
Social engineering is a strategic, non-intrusive, manipulation tactic used to convince people to relinquish access to sensitive information. It relies heavily on human interaction and the establishment of trust and requires no hacking expertise in order to perform it. Frankly put, it is extremely dangerous because social engineering tactics can be used by a much larger population of people than those who engage in ‘traditional hacking’ methods, because anyone can essentially build a social relationship with another individual. Social engineers interact directly with people in an organization to build trust, establish relationships and learn the company culture in order to obtain information. After gaining information about a company and its employees, social engineers may ask questions, impersonate people, or employ similar tactics to get employees to break security procedures.
The Three Most Common Social Engineering Tactics Used by Hackers
Social engineers are always improving their tactics and employing new ideas. It is important to stay current with the methods they use most often and to know how to identify them in order to prepare the best line of defense.
1. Phishing
One of the most commonly used methods to steal data is phishing. Social engineers use phishing to steal information with the use of fake emails, websites and phone calls to trick victims. In order to be most successful, social engineers begin researching their target to craft “believable” stories in order to exploit them. For example, with information found in quick Google search, a social engineer can find out a victim’s home address from Facebook, work location from LinkedIn and family information from other social media sites. With this information, creating faulty stories are easily believable with bits and pieces of proprietary information from a victim.
Social engineers may use phishing to contact a company by phone or email threatening to close an account, halt a shipment of merchandise, offer a discount, or even make another claim that creates a sense of urgency. By utilizing personal information, they make workers feel safer about giving out the information. For example, a social engineer may call a key person in a company to say that their data profile must be updated to avoid account cancelation. They may send the employee an email attachment containing malicious materials that in turn give them access to the computer, or they may get bank information and other sensitive data simply by having the employee fill out a form and return it.
2. Pretexting
Similar to phishing, pretexting involves using impersonation in order to gain access to data. However, instead of using emails and the like, pretexting involves human impersonation of an authority figure. With this method, social engineers use a fabricated story to gain the information they want. They may actually use this tactic more than once to ultimately gain information from an organization. This is because they know they need to access a key person’s identity or credentials to access information. For example, consider a social engineer who calls a key individual in a company claiming to be from a different department. The social engineer then contrives a story that a suspicious email was sent from the individual. A story like that instills panic, and the hacker may tell that employee to verify his or her credentials.
When the social engineer has that information, access to other systems may be easier. For example, some company records are accessible with an employee ID number or other credentials. If the social engineer knows that employee IDs are used as the login names, and birthdays are used as passwords, the social engineer can find a birthday via social media or other means. When using this as a two-part method, a social engineer can use the employee’s information to contact tech support and have other accounts changed. In more extreme cases, the hacker may be able to access sensitive data by contacting tech support and posing as the employee.
3. Quid Pro Quo
No organization wants to think about employees intentionally breaching security. However, this type of attack is designed to entice them to do just that. Quid Pro Quo is a “request for information” tactic used to get personal information by asking seemingly harmless questions in exchange for a promised gift. It could be a t-shirt, video game, or money. These usually pop up on websites to trick individuals from giving up their information. In the office space, quid pro quo can be used on employees to offer assistance in fixing system-related problems in exchange for login credentials.
Social engineers usually find a list of office phone numbers for select workers who have access to desirable information. They may call each of those workers claiming to be from the IT department or another IT support company. Social engineers persuade the workers to disable their security software to grant access to their machines. Social engineers are much more successful with this method than most organization leaders would imagine.
How Organizations Can Stay Safer
One of the most important safety defenses companies can use to thwart social engineering efforts is proper security awareness training. Employees must be fully aware of the methods that social engineers use to gain access to information, and they must be fully prepared to offer responses that prevent these intrusion methods from working in the first place. If any of above mentioned social engineering attacks were to occur, what would an organization’s employees do? Employees should learn to prioritize company safety over personal relationships in the office, and default to their upper management if situations arise that they are unsure of how to handle.
It is vital that employees do not engage in careless browsing on the Internet and be sure their browsers are equipped with add-ons that prevent them from clicking malicious links. Spam filters should always be used. Set up two-part authentication for all accounts that include sensitive information, and train them to call financial institutions, tech departments and other outside companies that share sensitive information to verify contact attempts.
It only takes one incident from one employee “taking the bait” to cause thousands of dollars in damage, a tarnished reputation, and possibly many more negative repercussions for an organization.
Bottom line: Never second-guess the power of human manipulation. Focus on thorough training and keep sensitive information heavily protected.
About the Author
Ryan Corey is the CoFounder of Cybrary, the world’s first free cyber security training website. Much of Ryan’s time is spent helping to educate the world on cyber security awareness.