What came to mind? If your mental image of a hacker is informed by Hollywood stereotypes and stock imagery, you thought of a shadowy figure, bathed in the green glow of multiple screens, furiously pounding out complex algorithms and arcane programming.
Hackers succeed by exploiting weaknesses. And long ago, they discovered that the weakest element of most systems is the human element.
It’s easier to talk someone into giving up their password then it is to crack it through sheer computing power. And hackers are all about what’s easier.
What Is Social Engineering?
Security experts call any attempt to manipulate people into revealing confidential information social engineering. Essentially, it’s people hacking, and it’s the dominant form of hacking today.
- Social engineering accounts for more than two out of every three cyber attacks, Forbes reports.
- 60 percent of enterprises fell victim to social engineering in 2016, according to a survey of security experts.
- The average large company spends $3.7 million a year dealing with phishing attacks — a common form of email-based social engineering.
4 Ways Your Business Is Vulnerable to Social Engineering
How might social engineers wheedle their way into your company’s data systems? Here are four of the most common — and surprisingly low-tech — methods of attack.
(Note: These forms of social engineering are not necessarily standalone. Hackers often mix and match their methods in pursuit of your company’s secure data.)
1. Via Email
By some estimates, phishing — impersonating a trusted sender via email to trick a recipient into giving up private information — accounts for 77 percent of all social engineering attacks. As phishing becomes more targeted and sophisticated, it becomes spear phishing or whaling.
Phishing works because most people simply aren’t that observant about their email. An average employee, for example, won’t notice when an email from “the CFO” is actually from someone with a similar, but subtly different, address.
Phishing scammers also gain power through the wealth of information available about almost anyone these days on social media. When details about you such as where you like to eat, what conferences you attend, where you went to school, and who you know are free for the taking on LinkedIn or Facebook, hackers have little trouble impersonating you.
2. Through Social Media
Social media isn’t just a source of personal information for hackers. As more and more online communication is conducted on social media sites, hackers have gravitated to these online watering holes in hopes of snaring new prey. In the fourth quarter of 2016, social media-driven phishing attacks jumped 500 percent.
One of the most common forms of social media-based attack is for the hacker to pose as a customer service representative of a popular brand on Facebook or Twitter.
Here’s an example of a hacker masquerading as PayPal support on Twitter. The account looks official and uses the PayPal logo. Would you have noticed the difference?
3. By Phone
Now well into its second century of use, the telephone remains a favorite target of criminals. Why bother with cryptography when you can simply call someone up and ask for their credit card number? So-called “vishing” relies on our tendency to trust that the person on the other end of the telephone line is who they say they are.
For example, the BBC describes how one small business owner lost over £100,000 to scammers posing as her bank’s fraud team. “They were completely professional, it was a clear line, they knew my name, they called me on my landline, they used all the language,” the businesswoman said.
Suppose you found a thumb drive in a company restroom labeled “Executive Salaries.” Could you resist plugging it into your computer? Could everyone else in your organization also resist?
Cybercriminals have devised some cunningly simple ways to implant malware on corporate networks, exploiting nothing more than human curiosity and greed.
Back in 2006, for example, a security firm scattered 20 malware-infected USB drives across a client’s parking lot. Fifteen were found and plugged in. Had they been left by more nefarious forces, that company would have been in serious trouble.
What Can You Do to Prevent Social Engineering?
Your company’s first line of defense against social engineering is education. Because they are the weak links in the system, your users must understand the risks of careless emailing, sharing confidential information by phone, and inserting strange media into their devices.
Especially if your business is small and lacking in IT resources, consider partnering with experts that can help you not only educate your users and draft a security policy, but implement and monitor the technical controls that will help guard against fraudulent emails and unwanted incursions into your data.
For more on what an IT partner can do for your business, click here for your free copy of “The Ultimate Small Business Guide to IT Outsourcing.”