Let’s say you work in the accounting department of a mid-sized business and receive an email from your CEO. She says she needs $2,000 wire-transferred to account number xxx-xxx-xxx immediately. It seems urgent. The email address is hers, the email signature is correct, and there’s nothing else odd about the email, other than your CEO doesn’t typically ask for a transfer without calling first. You begin initiating the transaction, but decide to double check with your CEO. You discover she never sent the email, and that you were nearly the victim of a social engineering scam.
Users are getting wise to many types of cons and are becoming more vigilant. The old-hat Nigerian Prince scam isn’t succeeding like it used to, but cyber-criminals make a career out of fooling people, and they’re good at it. Hackers, scammers, and other nasty cyber folks are becoming more sophisticated, and many are turning to social engineering.
At its core, social engineering is a method of manipulating people into either performing an action or releasing information. For your average person, information might be credit card or social security numbers, but at a business, a scammer might be trying to gain confidential information and employee credentials with the goal of somehow getting money.
But what’s the real threat of social engineering, and how do we make sure end users from the mail room to the boardroom see through these scams?
How Big is the Threat?
According to a 2017 report by Verizon Wireless, social engineering is becoming one of the most common forms of security incident for businesses. Their study covered 42,068 security incidents, and of the documented 1,935 breaches in their study, 43 percent of them involved social engineering – that’s nearly half! While encryption, physical security, firewalls, and other security measures get much of the airtime, social engineering is clearly the other half of the security story.
When scammers can so easily spoof emails, put fear into people, and cause general mayhem as they try to get what they’re after, how do you make sure users aren’t fooled? In general, it’s a matter of making employees aware of what kinds scams to look for as well as establishing policies that prevent things like rogue wire transfers from happening. Let’s dig in.
Types of Scams to Look For
There are four typical ways a social engineering scam happens: through email, phone call, text message, or in person. As you instruct users on what to look for, you can pass these examples to them, so they have a clearer picture of just how sophisticated some social engineering has become.
Email. As we explored, a user can get an email that appears to be from a CEO, IT department, or colleague that’s just a clever forgery. The email could ask the opener to transfer money, download a patch, look at an attachment, or even share various user credentials. Often, attachments in these emails install a virus, which is typically ransomware or tools that give cyber criminals remote access to that machine. This lets them look for the information they’re hoping to steal, or carry out whatever action will lead to them getting some quick cash.
Phone calls. A common phone-based scam involves the IRS. You’ll receive a call from a number based in Washington (or spoofed to appear to be from Washington) and a recorded voice will explain that you owe a few thousand dollars to the IRS and that you’ll end up in prison if you don’t pay. It’s a scary thought, and some people believe it, but it’s just a scam. If the IRS does have a grievance, you’ll more likely receive a letter – not an automated call. That’s just one example. Some scammers call pretending to be a credit card company and will already know your name and company – they then may ask you to verify your card number, which you read to them, and bam. They just got your card info.
Text messages. Like the email scam, someone will typically text you and try to convince you they’re someone they aren’t and that they need something you have. Sometimes it’s a text claiming to be from a bank or card company, but it could also be a text claiming to be someone you work for, asking you to provide information or to complete a task (like the wire transfer we mentioned).
In person. In some situations, someone might try to enter your place of business and lie to get past the front desk. They could be interested in stealing corporate secrets, sabotage, or any number of nefarious things. Maybe they have all the details down. They could know the CEO’s name, claim to have a meeting, and just casually try to get access to areas they shouldn’t. If they do get in, who knows what they’ll do?
Keeping Users Vigilant
With an understanding of how some of these social engineering scams happen, companies should develop policies that stop them. For instance, a policy could state that a CEO will never ask accounting to transfer money without going through a formal process. Another could state that the IT department won’t randomly ask you to install a patch, because they’ll call you first to explain what it’s for. To keep out un-planned visitors, maybe the front desk has a calendar of every person coming in, and perhaps visitors must be accompanied by an employee and wear a visitor badge.
Practical steps like these can help avert most cases of social engineering, but more importantly, users should be on the lookout for these scams. If they get an email or phone call that’s strange or inconsistent, they should be comfortable asking a manager about it. This way no information gets in the wrong hands.
Scams are always evolving, so it’s crucial for every company to not only develop security policies that discuss the prevention of social engineering scams, but to also update them as new threats appear. Some companies may even choose to hire a third party to help with social engineering training or develop their own regular training employees are required to complete. Only by staying vigilant can companies prevent security breaches and stop the up-and-coming scams of tomorrow.