When the Eagles won the Super Bowl, I’m sure if you live and work around the Philly metro you were excited. So excited that you (or a team member) might not have taken a second thought to open an email or click on a link to celebrate the victory.
When Hawaii’s Kilauea volcano erupted last week, I’m sure like most of America, you were thinking how terrible! If someone—anybody—sent you a note with a link to help aid victims of the volcano, I’m sure like most you would not hesitate to click.
But with either of these two scenarios there’s a problem. There was no video recapping the Eagles win. There was no place to donate for volcano victims. These were scams designed to fool you into doing something that you normally wouldn’t do. The scary thing is: it works.
It’s called social engineering. And it’s very effective.
Your Business Problem: If they can’t hack into your network, they’ll fool you some other way!
While one of the first ways cybercriminals use to get onto your network is through unpatched machines (see our recent discussion on patching for further details), another near bullet-proof method is by gleaning information from you or your users.
Note: if you have erected defenses and systems to protect your organization against cybercrime, kudos to you! If you haven’t thought about needing a plan, it’s never too late to get expert cybersecurity advice from a third party to make sure your business security strategy is meeting up with the current threat landscape.
But for today, let’s assume that you’ve at least started thinking about protecting your network’s infrastructure and are confident that you’ve got security covered.
Hackers still have plenty of tools in their toolboxes to by-pass your systems. You might say, “we checked off all of our security requirements” (many industries do require you to check off boxes on check lists if you process credit cards or need to stay HIPAA compliant. But what we’ve been finding is that security cannot simply be completed in a checklist.
Remember the old saying, “there are many ways to skin a cat”? Well, there are also many ways for criminals to break into your network. And one alternative—when your network looks squeaky clean from an infrastructure perspective—is social engineering.
While social engineering has been around for decades (remember back to those African prince scams), hackers and scammers have upped their game, their target and their prizes for getting people to fall for their schemes. No longer are the days where you send a few hundred or thousand dollars by Western Union. Now the targets may be your entire business network and your sensitive or protected data (recall that medical records are worth nearly $1200!) to ransom or exploit you, your team or your clients.
The money today is in information. And these hackers have gotten really good at gleaning info from you and your staff—where in many cases no one is the wiser until the attack is complete.
The result of social engineering?
Passwords onto your network—hackers will manipulate your staff to glean important passwords to access sensitive information on your network.
Bank account numbers and other sensitive information—scammers will engineer your accounting and HR teams to get critical bank account and social security information from them.
Social engineering is simply a new term for a game that is probably as old as time itself. By using psychological and deceptive sleight-of-hand, criminals take old practices to exploit your business’ bits and bytes.
This type of cyberattack is far more difficult to defend against than simply a brute-force-attack and takes considerably more skill to implement well.
Side Note: while there are plenty of skilled criminals with wills and ambition to social engineer their ways onto your network to exploit you and your business, I want to emphasize that there are even more criminals without these tools that are simply using brute force attacks to penetrate your networks (because many businesses leave their networks unpatched or under-protected).
What tools do criminals have in their back pockets to get onto your network?
Basically, they are using time-tested techniques that scammers have used for centuries, but with a different end prize (and more technology).
Phishing—as you likely know already, scammers have bombarded your users with emails convincing them they need to take action right away. While many phishing emails can and should be filtered out of user email boxes (if you have questions about this, consider our free network security assessment to review your email settings), sometimes new scams get through email filters and into your user’s mailboxes, creating concern and immediate actions, many of which might be very costly!
Ransomware—your employees may be duped into installing a piece of software that actually will encrypt and lock down ALL the files on your network (see a recent discussion on the latest ransomware attacks). You might be asked to pay a hefty sum of money just to restore your data (who knows if that will work!).
Pretexting—often scammers will come up with elaborate stories that show they’ve done their homework on you and your team. By impersonating friends, associates or people of authority within your organization, they will pry into your business network—seeking money, passwords, and valuable information—simply by doing some homework on Facebook and LinkedIn and pitching a relatively believable story to one of your users. One of the latest pretexting attacks involved HR departments giving away lists of W2 data, allowing scammers to falsely file tax returns and reap hefty refunds from your staff.
Water-holing—perhaps your team visits some social media sites during the workday to pass the time (or on their work breaks). Reminder, web surfing can lead to a LOT of wasted time, it also can open your business up to security risks. By clicking on links within popular sites like Facebook, they may be inadvertently landing onto malicious sites that may end up infecting their device or machine and ultimately your entire network.
Note: these examples above are only a smattering of the ways hackers have devised entry onto business networks, even businesses that had thought they had all their ducks in a row!
The bottom line is that scammers are trying to play off your natural behaviors, tendencies and emotions to get your to do something. They are social engineering specific scenarios to trigger a targeted action (most often relying on emotion to trump rational thinking) to do activities they would otherwise second guess doing.
How can your business help prevent social engineering attacks?
Technology—technology can certainly help your situation. If you have defenses on your network—firewalls, antivirus software, email filtering—you are certainly putting yourself in a much better spot than if you aren’t protecting your network at all.
Training your team—technology only can protect so much. If your team is on cruise control all day, they likely won’t do much good in efforts to fend off scammers. One of the best defenses is in keeping employees alert, aware and suspicious. When new scams come out, make sure folks understand what’s going on and get them to recognize scams. The best mentality is to scrutinize every single link before they consider clicking.
Are you keeping your users and network safe from cyberattacks (including social engineering)? Contact us TODAY for a free network security assessment!