Being cyber aware is a business imperative, and understanding the fundamentals of social engineering is critical to that awareness. Because the cyber criminals are targeting YOU. Not the vulnerabilities in your systems, but you and your team.
Cyber-awareness today means recognizing and accepting this as fact, because in order to effectively spot and prevent these sophisticated scams, you first need to understand them.
Corsica Tech President Dale Walls recently led a workshop on this important topic at the Small Business Expo in DC, covering much of what is included in this article. You can get a free copy of that presentation here.
What is Social Engineering?
Social engineering is the art of manipulation.
It’s when someone with malicious intent is using psychological tricks to compel their target (you and your staff) to take an action that is against their best interest.
This is not a new phenomenon – social engineering has been around since the days when business was done solely by telephone, and we’re still up against the same basic scams today.
What has changed though are the tactics, and the impact of a successful attack.
It’s popular among hackers for one very specific reason – because it works.
It’s easier to exploit a human being’s natural inclinations to trust than it is to expend the effort to hack into our systems. This makes social engineering the path of least resistance. Basically, tricking you into giving up your password is whole lot simpler.
Effectively what these scam artists have done is to correctly identify the weakest link in the security chain – the humans.
So the takeaway for every business leader is that it doesn’t matter how strong your firewall is, or that your anti-virus is top-of-the-line, or even that you have the best IT partner on the planet protecting your systems.
The best analogy is to think of it like a home security system. You can have the best surveillance system around, a fenced yard with guard dogs, deadbolts on every door and window and more. But if the person ringing your doorbell says he’s the pizza delivery guy and you simply take his word for it and let him in, then you are completely exposed to whatever risk he represents. And that is something no security system can’t help protect you against.
(Side Note: What you do get with a good IT partner is good data backups management which results in less time lost remediating a security incident. In short, it shots a bad situation from getting even worse.)
The Modern Impact of Social Engineering
As mentioned, this threat isn’t new. But because so much more of our information is now digital, the opportunities for cyber-criminals have expanded and are much more far-reaching and dangerous.
And they’re using every single tool available to them, including email, social media sites, spoofed websites, phone calls, texts, messaging services and spoofed smartphone apps.
The confidential information they are seeking is being used for ransomware attacks, getting sold on the Dark Web, used in identity theft, or as a bridge to gain access to your partners and vendors, who may fall for a fake invoice email or other common social engineering attack that appears to be coming from someone they trust.
Phishing is How Social Engineering is Implemented
Phishing attacks represent the #1 vehicle for social engineering attacks. And they have evolved, becoming highly targeted, difficult to spot and incredibly persuasive.
This quote sums it up perfectly:
“Truth be told, phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective,” says Adam Kujawa, Director of Malware Intelligence. “That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”
Why Does Social Engineering Work?
At its core, a social engineering attack is the work of a con artist.
Instead of trying to locate a software vulnerability, the criminal behind it is relying on human emotion to achieve the results they want. And what they want is to trick or con you into taking an action that will benefit them.
Humans with free will – to click or not to click – are vulnerable because they are unpredictable and unfortunately, easily manipulated by exploiting one of these 4 emotions: fear, obedience/respect of authority, greed, curiosity.
Fear is an outstanding motivator and the criminals behind these social engineering attacks know that. People tend to just react when presented with a situation that creates fear, because that’s the best way to resolve the emotion.
This is of course exactly what the hackers are counting on – a knee-jerk reaction that results in a click on a malicious link or attachment.
There are countless ways to play on your fear, but it often revolves around a claim that you’re going to lose access to something important if you don’t take a specific action, like your bank account, email or any other online service you rely on. Another popular tactic is the email from a friend claiming to be in trouble.
OBEDIENCE/RESPECT OF AUTHORITY
We’re taught from a young age to respect authority, and conditioned not to question a directive from someone in a leadership role or position of authority.
Hackers have taken full advantage of this, creating (as one example) scams that spoof an email of someone on the management team and request financial transactions be made immediately.
Tax scams are also commonly rooted in our sense of obedience, relying on threatening messages and calls that claim to be from law enforcement officials.
The idea that you can get something for nothing or very little is another common tactic in phishing messages. These campaigns will either lead you to believe that you have won something, or that you can earn a big reward. In all cases, some action is required of you. It may be to pay a small fee, or to provide your personal information.
The Nigerian Prince scam is the most famous example of a scam that preys on greed; and while most people are now aware of that particular example, there are plenty of other more evolved scams that do find the mark. They might offer a monetary reward in exchange for taking a specific action, claim that you have won a big prize, or indicate that you are getting a refund for something.
Remember too that when you fill out forms for a prize entry, you’re at minimum providing your information to advertisers so they can target you with additional ads and offers. So even if you aren’t jeopardizing your network, you’re still giving your information away for someone else’s profit.
Human beings are naturally curious.
Often that’s a good thing, but it’s also something that is often exploited in these social engineering messages. Fear of Missing Out (FOMO) is central to this theme, with messages ranging from short, vague notes that appear to be from a known contact, to juicy celebrity gossip that you could be the first to know.
The intent is simple – to get your natural curiosity and FOMO to override any concerns you may have that the message could be malicious.
- Vaguely worded “You gotta see this!” messages that appear to be from a known contact
- Clickbait headlines or subject lines that promise gossip or a first look at breaking news or information
- Messages that make the recipient feel like that are missing out if they don’t click
Other social engineering campaigns play on our willingness to help out a person or group.
Examples of this type of scam include:
- Messages targeted towards customer service professionals asking for assistance
- Requests for charitable donations
- Messages that appear to be from a co-worker asking for help with something
- A message from a friend saying they are in trouble and need you to wire money now
Charity scams are unfortunately the norm in the wake of any type of regional or even global disaster. They take advantage of our natural empathy and desire to do something to help. Check out this article for more on how to avoid getting caught up in any kind of a charity scam.
Social engineering scams are generally always crafted to invoke some type of strong emotional response from the recipient. Additionally, they will also create a sense of extreme urgency, making the target feel like they must do this thing RIGHT NOW or face the consequences (whatever they may be).
They will often impersonate nationally known brands or services, or appear to be from a known contact. They mostly contain links, sometimes attachments, though that is less common due to advances in spam filters.
They also follow the news, whether that’s a holiday, a national disaster, or a trending topic. This is a great way to sort of “hide in plain sight”, taking the chance that someone worried about their tax filing will be more susceptible to a phishing campaign tailored to that topic.
Defending Against These Cyber-Risks
So now that you know the fundamentals of social engineering, the better question is what you can do to defend against this type of attack.
And it really comes down to three things:
- Think before you click
- Educate and train your staff
- Treat cybersecurity as a full risk management issue, not just an IT problem
Think Before You Click
This is as much a mantra as it is a directive.
It’s a good way to remind yourself to slow down, avoid reacting emotionally, and do a gut-check on any email before clicking on a link within it.
You should know the red flags of a phishing attack, and follow two critical best practices:
- Always stay in control of where you land on the internet (meaning don’t follow links provided to you; instead navigate to a site on your own in a clean browser window)
- If a message is AT ALL questionable, validate it before proceeding. You can do this by calling the supposed sender, logging into the account in question directly, or even putting the subject line into the search engine to see if it’s a known scam.
Educate and Train your Staff
Every employee with an email address or access to a networked computer is a target. Therefore, every single employee represents a threat to your network.
So how can you ensure that everyone thinks before they click?
First – recognize that all it takes is ONE bad click by any single employee, from any networked computer, to create a data disaster.
It’s critical to understand that truly creating a culture of cyber awareness covers the full spectrum of your team, from the board room to the break room.
Knowledge is power, and when you know that the human beings who work for you are being actively targeted, you have to educate them about the risks and train them on how to spot a phishing email or other malicious campaign. So the second step is to educate everyone on the best practices around suspicious emails.
And it’s not a “one and done” thing either. This information needs to be continuously reinforced either through quarterly reviews, or maybe by integrating some cybersecurity information into your regular monthly staff meeting. Sign up for alerts and distribute that information on a regular basis.
Cybersecurity really is now everyone’s responsibility and your team can either be the weakest link in the security chain or – if they’re educated and well-trained - your best defense against a cyber attack.
As a business leader, we also strongly recommend that you create and enforce a policy that mandates secondary confirmation of any requests for financial transactions. Those extra few minutes can save you from a significant loss.
But beyond that, you should also give your team permission to take time to validate requests.
Remember how we talked about these messages playing on obedience and respecting the chain of command?
If someone in your Finance Dept fears a negative consequence of confirming a request, you have a problem because they are more likely to comply with a spoofed email out of fear of questioning it. So make it clear that “better safe than sorry” is the standard.
Corsica Tech President Dale Walls recently led a workshop on this topic at the Small Business Expo in DC, covering much of what is included in this article. You can get a free copy of that presentation here.
Accept that Cybersecurity is Not Just an IT Issue Anymore
We can sum this up by saying that true cyber awareness for a business today means accepting that technology alone isn’t the answer.
Yes, having the right technology tools and solutions in place is a critical piece of the puzzle. But the point of this article is that a good social engineering scam can easily bypass even the strongest technology because it’s targeting the human beings behind the keyboard and not the technology itself.
So make sure that you have a layered approach to network security, and also make sure that it includes end-user training and education.
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use!