Social Engineering and Ways to Mitigate Susceptibility
Social engineering: two words that are increasingly being talked about in normal, day-to-day conversation. If you are like me, when you first heard the term, you likely thought of something different than what this really encompasses. Let us unpack the term a bit and explore the meaning.
WHAT IS SOCIAL ENGINEERING?
- The use of centralized planning in an attempt to manage social change.
- The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Social engineering is a type of cybercrime that uses behavioral techniques to trick people into sending money or divulging confidential information like bank data, personal employee information, proprietary material, or passwords. An employee is intentionally misled into sending the information in written or verbal communication such as email, letter, fax or phone call. Methods can be as simple as infiltrating an email exchange by sending an email that appears to be from a colleague asking for urgent and immediate financial help, which dupes the recipient into clicking on a phishing link. Schemes can be as intricate as setting up replica login pages and phony callback numbers to gather confidential personal and account information. Some threat actors even build dossiers on their targets so they can use specific personalized information to gain their victim’s confidence to better execute their crime.
How does this happen?
If you think it will not happen to your organization, think again. This surprisingly successful fraud happens every day to unsuspecting employees when they receive a message that appears to be from a legitimate vendor, client, or supplier. In some cases, the fraudster infiltrates an email conversation and has been able to obtain the vendor, client, supplier’s (etc.) signature section to make it appear more legitimate. Phone numbers have been amended in the panel and would be directed to the fraudster who would of course, verify the information.
- Targeted attacks on businesses have risen 91% over the last year. There are over 100,000 social engineering attacks launched each day.
- All sizes of businesses can be targeted. 1 in 5 small businesses and 1 in 2 large businesses have reported a targeted attempt or attack in the past year.
- A manufacturer received an email that appeared to be from a vendor, requesting payment due to them be sent to a different bank account number due to an ongoing audit. The payment was made per the request. When the manufacturer received a past due notice and called the vendor, it was uncovered the vendor’s email accounts had been hacked and the payment sent was in fact fraudulent.
- A holding company received an email, requesting an additional $40,000 wire on a deal closing. The hacker created a fake email address mimicking the company’s CFO and sent to the internal controller. Not thinking much of the request, the controller sent the wire to get the deal closed. Upon passing the CFO in the hall, conversation was made that led them to discover they had been a victim of social engineering.
- An employee within the accounting department received an invoice from a procurement manager via the post on letterhead paper requesting that an enclosed invoice is settled immediately. It is subsequently discovered that the letter, supplier, and account have been set up fraudulently. Malicious email attachments disguised as purchase orders are extremely common, and in those cases the promise of new business for the company is the dangling carrot that gets employees to open malicious attachments. Even if they suspect the email is malicious or phony, they may open the attachment just to be sure.
- An email is received by the HR department to change the direct deposit information to a fraudulent bank account. Be sure to confirm with employees on changes like this, in person or on the phone before a major change to any employee’s information.
- An employee receives an email or text from a superior asking them to do them a favor. The next communication asks them to go purchase gift cards to give as bonuses to employees or gifts to clients. The key is that the fraudulent person asks the employee to scratch off the codes on the back of the cards and take pictures of them and send the pictures back to them, or they ask you mail them to an address you don’t recognize.
EASY TIPS & TRICKS
- Consider the source – Do not click on links or open attachments from suspicious sources – always err on the side of caution. See number 6 below to help discover suspicious sources.
- A text or email from your bank, is not necessarily from your bank. Spoofing is easy – always confirm legitimacy.
- If it sounds too good to be true – it might be. Investigate requests for money, tempting ‘enter to wins’, and requests for personal information or items of any value before handing over.
- Make sure your business is protecting themselves with security (antivirus, antimalware, etc.)
- Email software can help you! Most programs help filter out junk mail, including scams.
- For email, if the email format does not match your companies email format, it is a strong indication it is fraudulent. Also, select or hover over the sender’s email address. If it has not been masked, it will show the senders true (hidden) email address and indicates it is fraudulent.
- Fraudsters are impersonating the U.S. Social Security Administration (SSA). These fake SSA personnel contact random individuals, inform them that there has been a computer problem on their end and ask that those individuals confirm their Social Security Number, all for the purpose of committing identity theft. In other cases, detected by the Federal Trade Commission (FTC), malicious actors set up fake SSA websites that say they can help users apply for new Social Security cards but instead simply steal their personal information.
- Recently, employees in the accounting office have received calls from a person that says there is a problem with their W-2 company submission. They are then asked to resubmit the information to a different (fraudulent) website with a threat of large fines if it is not completed immediately. All of the company’s individual’s personal financial information was sent to the fraudsters.
Top security issues that HR may want to evaluate as part of its partnership role with IT security in your organization:
- Protecting company data when many staff members are working remotely.
- Ensuring that information security controls are in alignment with the organization's mission, goals, priorities, and initiatives.
- Defining and updating roles and responsibilities regarding access to data.
- Adhering to legal regulations and complying with industry norms.
- Maintaining well-documented policies, standards and best practices.
- Ensuring that procedures for reporting a data breach are known by all staff, and that procedures for responding to an incident can be carried out efficiently and without additional data compromises.
- Ensuring that your acceptable-use policy is comprehensive and clearly written.
Discuss with your risk advisor the potential risk of cybersecurity breaches and the outstanding resources provided by NCW.
Looking for a self-help tool to get started or to improve what you may have in place? Visit the Federal Communications Commission (FCC). They have a handy online tool called Cyberplanner, Create your custom planning guide now. Located here, https://www.fcc.gov/cyberplanner, this automated tool will help you create a custom cyber security plan for your company, guided by expert advice to address your specific business needs and concerns.
Also, the Department of Homeland Security, Cybersecurity & Infrastructure Security Agency has created this pdf document Cyber Essentials. It is a guide for leaders of small businesses as well as leaders of small and local government agencies to plan and develop an actionable understanding of where to start implementing organizational cybersecurity practices.