Can You Handle a Social Engineering Attack?

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Simply stated, it is the art of manipulating people to give up confidential information. It is up to all of us to be personally aware and protect ourselves from these dangers. Even if you have all the security features in place: cloud data, building security, defensive technologies, firewalls, etc., a skilled scammer can still weasel his way in, through or around your security.

Why use Social Engineering to get in, through or around security?

There are several ways a social engineer may try to gain access to your information. It is much easier for a hacker to use your trust to trick you into giving them your password, bank information, social security, access to your computer, or click to install malware than it is for them to hack your system to find the information themselves.

For example, a criminal may call an employee in the office or even just walk in wearing  a company t-shirt bought at a second had store, posing as a member of the IT team, and get the employee to feed him information such as passwords or other secure data. Once a social engineer has a trusted employee’s password, the criminal can simply log in and snoop around for sensitive data. With an access card or code in order to physically get inside a facility, the criminal can access data, allow others in a group into the building, steal assets or even harm people.

How do they do it?

Social engineering occurs in person, over the phone, via email, through social media, or even through web browsers. No matter the vehicle, the criminals use the same tools: human nature. Scammers prey on our greed, our kindness, our naivety, our curiosity, and our desire to be helpful to others. They do their homework, getting to know our business and our habits before they even make contact.

There are so many examples of social engineering. It could be someone posing as law enforcement. A scammer may pose as a fellow employee. Someone may ask you to hold the door on the way into the building, giving access without a key card. A criminal uses the local news and current events to find areas where someone may be vulnerable. A social engineer might even pose as a fake charity.

Emails are a popular source for social engineering. You may receive an email appearing to be from a known source. It may contain links or downloads that you did not expect and may turn out to be malicious.

For instance, you should watch out for …

• an email asking for urgent help from someone close to you.
• anything appearing to protect you by asking you to verify information or change passwords.
• requests to donate to a charitable cause or even notifying you that you are a winner.
• someone posing to be a boss or colleague asking you to do something for them, perhaps even something against typical procedure but your boss says it’s an emergency.
• a reply to a message you never sent.
• any offer of help with a problem that you never knew you had.

These are just some of the ways social engineers can use email to reach you.

How can it be prevented?

Now that you see what a severe problem social engineering can pose, how do you prevent it? The number one tool to prevent social engineering is security awareness training. Employees need to know that social engineering exists and be familiar with commonly used tactics. You will want to train and train again when it comes to security awareness. Regular updates allow you to share new patterns of threats and also offer regular reminders. Social engineering lends itself to storytelling, and stories are easy to understand and easy to remember.

The weakest link in the chain of security is the person who accepts a person or a scenario at face value without checking. Your home may have locks and alarm systems, and guard dogs, but if you trust a person at the door who says he is the pizza delivery guy without checking it out, then you open the door and completely expose yourself to his risk. It is the same with digital security.

There are some powerful tips that can help you avoid being that weakest link.

• Slow Down! Scammers want you to act now and think later. Don’t fall for it.
• Do Your Homework! Know the facts and check up on them before you act.
• Use URL! Find the website yourself on your search engine rather than just clicking on a link.
• Hijacking! Be aware that email hijacking is rampant, and just because an email is from someone you trust, realize it may not really be them.
• Don’t Download! If you do not personally know the sender AND are expecting a file from them, do not download it without checking.
• Software! Be sure your computer security software is up to date and functioning.
• Foreign=Fake! If you receive an offer from a foreign country concerning money, it is guaranteed to be a scam.
• Spam! Set your filters on high to weed out junk mail.
• Delete! Delete any email requesting financial or password information.
• Just Say No! Reject any solicitation for help. A company will not contact you to offer their services unless you first seek them out.
• Say No Again! If someone is desperate for help, they will not send an email! If you are concerned, call them or better yet, visit, but do NOT send money!
• Too Good Isn’t True! If something appears too good to be true, then it probably isn’t true.

Another key tool in helping your employees avoid these pitfalls involves putting policies, processes, and procedures in place that offer controls and checks and balances to protect your information. Catapult Tech Solutions can help you develop policies to protect your business.

Are you on Facebook? We are, too. Let’s be friends!