Employees are considered to be an organization’s biggest asset, but the weakest link in terms of its security. While enterprises are regularly attacked by deliberate actors and saboteurs, a lot of security incidents also result from negligence, carelessness, and lack of awareness. Earlier this year, an investment management software provider was sued for losing $6 million to a Business Email Compromise (BEC) scam. The culprit? An employee who didn’t follow proper wire transfer procedures. In that situation, when an organization has the proper security measures in place, the employee who actually follows procedure or has the awareness to recognize the scam serves as the lynchpin of its defense.
A 2014 survey revealed that around 19.8% of data breaches came from internal systems—the result of basic human error. The wide range of effective scams that can be used to exploit employees are why cybercriminals still resort to social engineering rather than trying more sophisticated schemes.
The specific scams may vary, but here is a list of the most common techniques—as shown in a number of TV and movie scenes—to help users be more aware of the social engineering threats they’re facing:
Identity Thief: Sandy impersonates his former boss and convinces an employee to give up access codes to a restricted area.
Have you ever received an unsolicited call from someone in “tech support” about a problem that requires your immediate attention? Maybe the caller starts asking for personal information or account details to take care of the issue immediately. This scenario sums up a social engineering method known as pretexting.
Mostly done over the phone, pretexting involves the creation of a situation that convinces the target to reveal personal or valuable information. The scammer will pretend to be someone legitimate or familiar to make the target feel comfortable—a customer service agent from their ISP, a co-worker from a different branch or office, or someone from the company’s tech support. Criminals sometimes mine information about the target beforehand to make the scam seem more believable.
The problem is how to distinguish a scammer from a legitimate caller. Generally, if you receive an unsolicited call and the caller starts asking for personal information (Social Security number, account security questions) you should verify if the caller is legitimate. Hang up and call the company itself to confirm if there really is a problem.
Blackhat: Hackers trick a CIA agent by masquerading as his supervisor. They send him an email with instructions to change his password and download a PDF, but the downloaded file actually installs a keylogger. The hackers manage to get his new password with the keylogger installed.
Despite increased public awareness about these scams, phishing is still widely used and effective. Just last February, Snapchat was victimized by a phishing scam after one of its employees emailed sensitive information about the company payroll to a scammer pretending to be the company CEO, Evan Spiegel.
Phishing scammers manipulate their targets, finding the weak points that push people into revealing valuable information. They use different angles to provoke people into careless and quick action: masquerading as higher-ups in an organization, emailing as the company IT department, sending “expiry notices”, setting up fake web pages, or asking for login details for a specific service.
It’s difficult distinguishing genuine communication from bogus messages, especially since cybercriminals can easily find information to use in their scams. Company profiles are accessible online, as are logos, legitimate headers, and other material. Employees should always be critical of “urgent” communication and unusual requests.
To help you recognize and avoid them, here are a few characteristics of classic phishing schemes:
Phishing scams ask for detailed personal information: names, account details, social security numbers, and more.
They use shortened links that redirect to malicious websites. Check the URL of sites you are redirected to—sometimes scammers use misspelled site URLs that mimic legitimate companies.
Some scammers try to create a sense of urgency to push users to act quickly and thoughtlessly. Properly assess the situation before giving away any information online.
Mr. Robot: USB sticks poisoned with auto-running malware are dropped in front of a target's office as a lure for employees to pick up and use.
Baiting is a method that literally uses an attractive lure to bait or entice victims, ranging from physical lures such as poisoned USB sticks to the more common clickbait-y email and online ads. Some common forms of “bait” are free movies, merchandise, or tickets to big games and concerts. This is a particularly successful scam when scheduled to coincide with big events like international competitions, elections, and sold-out shows. More users are on the lookout for good deals, like discounted tickets or rare merchandise, and are likelier to click on suspicious links.
The typical tactic is for scammers to request login credentials or valuable personal information in exchange for a “big prize”, or users are redirected to malicious sites that harvest their details or deliver malware.
Scammers try to lure you in with urgent or loud calls to action—log in to claim your prize, last three shirts available, click this link to win tickets, etc. If you receive unsolicited emails or see social media posts that seem too good to be true, check the legitimate company website and see if they are really offering that particular deal.
Diamonds Are Forever: A classic tailgating scene—Bond distracts the researcher and pretends to have an access card to get into the restricted section.
Tailgating is one of the simplest and oldest tricks used by criminals. It is literally piggybacking, or following someone else, using their credentials to gain access to a restricted area. People used to do this on the subway—as the gate opens for someone else, they quickly slip through without paying.
Now, as more companies restrict certain sections of their offices, tailgating is becoming more of a problem. It’s common courtesy to hold the door open for someone—from coworkers with their hands full to visitors without access badges. But restrictions are vital to security. Besides ensuring the physical safety, controlling access to certain areas of the workplace prevents equipment and intellectual property theft. Unfortunately, employees are lax about this particular rule and usually consider it as a security practice that isn't that important.
Reducing the Risks
Social engineering schemes are designed to prey on human vulnerability—a vulnerability that has proven to be the most difficult to "patch". While there is no silver bullet for securing an organization against social engineering tricks, there are a number of ways to reduce the security risks that can be traced to human error. Besides installing multi-layered security solutions that can actively guard against targeted attacks, organizations should also focus on increasing employee awareness and education on relevant threats, and outlining clear security policies. The main challenge is to make sure employees take these measures seriously, and also stick to them as part of a security-focused company culture.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).