Have you ever received a call from someone asking for a colleague’s phone number or email address? Most people would think that it’s normal to get such calls. It could be a family member or a customer trying to get a hold of your colleague. It would seem that providing their contact details is harmless, and actually an opportunity to help a stranger out. But what if, this colleague is someone who has access to sensitive or proprietary information? Would you think again about giving a total stranger their information? If you find yourself in this position, you probably fell victim to social engineering.
Social engineering is “the act of using any method conceivable to convince an employee to give up passwords,computer access, or admittance to off-limits areas that a social engineer can use to steal sensitive data or access.” Social engineers persuade employees to provide sensitive information by pretending to be an insider, a customer or an individual with good intentions.
One example of social engineering was a phone call received by a technical support personnel of an IT company. The personnel was logged on to the phones and was anticipating calls from customers with IT concerns, when a person on the other line introduced himself as another team member who got lost in the telephone menu. Although the person sounded like a foreigner, he was able to provide a name of an executive and was asking for his phone number and email address. He told the technical support personnel a story that he was supposed to meet the executive in the airport, but he arrived quite late so he needs to know his whereabouts. The person was very persuasive, and sounded like he was in a hurry, so the technical support personnel looked the name up in the company directory and provided both email address and phone number. LIttle did he know that a group of hackers have been trying to get into the company’s CRM to steal customer information and sell them to a competitor.
Social Engineering Protection & Awareness
Needless to say, companies big or small should invest in training their employees about the threat of social engineering. Social Engineering Protection & Awareness training can be delivered in both eLearning and classroom formats, and are normally supplemented with an information drive done by email, printing posters or facilitating roadshows.
A once a year or quarterly refresher may be given to employees to ensure learning retention and to update employees with new trends or techniques employed by attackers. Social Engineering Protection & Awareness Training Content
Social Engineering Protection & Awareness training typically discuss the different techniques used by cybercriminals to trick employees, corporate policies and procedure, as well as examples of social engineering attacks.
Techniques Used by Social Engineers
The first technique is dubbed as “classic social engineering”. Initiated either in person or through phone, a social engineer pretends to be a VIP (usually from IT) and demands information from the person who answers the phone or welcomes guests at the front desk. These scenarios may include demanding employee IDs in order to solve an IT-related problem and claiming to be a utilities auditor and requesting to access the server room. When the employee succumb to the request, cybercriminals are given legitimate access into the network.
Another technique used by cybercriminals is “email social engineering”. Also known as phishing, it has a high success rate which cost average U.S. companies more than $3.7 million per year. Attackers send legitimate-looking email that actually contain malware or links to phishing websites to the employee distribution list.
The last technique in social engineering is called opportunity social engineering. It is called that because cybercriminals do not need to make deliberate attempts at getting information themselves, but wait for employees to voluntarily provide the information in error. For instance, careless employees might pick up a malware infected USB stick and use it to store work files. Attackers can use this opportunity to download malware into the company’s whole network. Sneaky social engineers may plant these rogue hardware into parking lots, smoking areas or even cafeterias that employees frequent.
Corporate Policy on Social Engineering
Policies and procedures on social engineering is an important part of Social Engineering Protection & Awareness training. This module should help employees determine when they are in a social engineering situation, assess a possible attack, avoid providing any information, and document any attempt, whether or not it was successful.
Some examples of policies and procedures include:
- Requiring ID verification when anyone tries to access physical locations that are off-limits
- Disclose suspicious situations or people to authority
- Bar the use of USB sticks, external hard drives and other storage other than those provided by IT
- Report stolen ID badges within the next 12 hours after it gets lost
- Be mindful of the emails from addresses you have not seen before
- Send suspicious emails to a special mailbox set up by IT
- Inform a superior if there is any reason to suspect a social engineering attempt
Real-life Social Engineering Scenarios
Training employees on the dangers of social engineering is more effective when they know exactly what an attack is like. If there has been a previous attempt to steal information from the company using social engineering, the entire story should be described in detail during the training. Some of these attacks are perpetrated by the same group of people, so their style in convincing employees to give up sensitive information will likely be the same whoever the victim is. Testimonials from people who encountered social engineers or those who were involved in the attack will be very effective in fostering social engineering awareness. In cases where an attack has not happened within the company yet, the next best thing is to include case studies from organizations in the same industry.
Despite the advancements in social engineering techniques, organizations can defend themselves through awareness and rigorous training. Employee training, combined with encouragement from managers and an effective visual campaign will ensure that social engineers would not get away with the company’s data and tarnish its reputation.