Social engineering: The biggest security risk to your business

It's not your network, but your own well-meaning employees that could be the gateway for hackers

Most businesses have spent time and money educating their employees on the threat of phishing emails. Many attempts are clumsy and riddled with mistakes and typos, making them easy to spot and delete before any harm is done.

But social engineering scams - when cybercriminals target specific departments and users with communications tailored to look like they come from a senior figure, supplier or job applicant - are on the rise and are much harder to spot. Let's dig a little deeper into this worrying trend and the impact on businesses.

Social engineering? Sounds sinister.

It is, but not in an Aldous Huxley, Brave New World kind of way. The dictionary definition would be something like: "Deception with the intent of gaining confidential information for fraudulent purposes." In practical terms, this typically means someone trying to trick you into sharing your login credentials, or installing malware.

Advertisement - Article continues below
Advertisement - Article continues below

Ah, you mean like phishing. Isn't that a consumer problem?

Phishing is one social-engineering trick, but the definition includes any attack methodology that relies on trust and deception. And it's certainly not merely a consumer problem: when Imperva researchers set up honeypots to attract phishing attacks, they found that business data was highly sought after, with 25% of the attackers going for business-related targets.

So what types of attack do we need to look out for?

We're all familiar with scattergun phishing emails, but you should also be on the alert for highly targeted attacks ("spear phishing"); these can be much harder to spot, because they appear to come from a trusted source and include information specific to the recipient.

Then there are those telephone calls pretending to be from Microsoft support, that actually want to gain remote access to your computer. And don't discount the possibility of someone walking confidently into your offices, smooth-talking their way past the reception desk and gaining physical access to your IT systems.

Surely not many people fall for these tricks?

Advertisement - Article continues below

The trouble is that a social engineer only needs to fool one person in your organisation to gain access to your networks and data. Indeed, talk to any IT security professional and they'll tell you that most data breaches today start with a social engineering attack of some kind. It's often much easier to exploit an individual than to mess around with technical hacks.

So what should we do if one of our employees falls for a social-engineering attack?

Well, don't blame them. Employees are only human, and in most cases they're trying to do the right thing. MWR InfoSecurity did some simulated phishing research last year, and found that spoofed emails, supposedly from the HR department of their organisation, fooled nearly three-quarters of recipients into clicking a phishing link and providing their credentials.

For similar reasons, social media is often a channel for social engineering, as it provides a ready-made network of trust. The same researchers found that when an email (even one sent to a work address) requested the recipient to connect via a social media channel, roughly 25% clicked the included link. This led them to a fake login screen where 54% gave their credentials of whom 80% then downloaded a malicious executable.

Advertisement - Article continues below

Is there a technical solution we can deploy?

Unfortunately, it's not as easy as just installing product x, as social engineering targets people as much as computers. There are technical solutions that should be part of your defences such as two-factor authentication, to defeat password stealing, and disabling remote access to files and servers where it's not needed. However, all of this needs to be deployed in tandem with user awareness training.

Advertisement - Article continues below

What's the best way to make users aware of the risks?

As is so often the case, the best way to learn is through experience. There are many organisations that provide phishing simulations, to show users how they can get fooled and help them recognise such situations when they occur for real. Again, though, don't blame staff if they do get tricked: that only isolates them from the security process, and you'll get better results not to mention a happier workforce if they feel trusted and involved with company security.

Five classic social-engineering tricks

USB seeding is where malware-infected USB sticks are dropped outside a target building, or even left on tables in reception or at a local coffee shop frequented by employees. Far too often, a curious finder immediately plugs the stick into their work PC, and boom goes your network security.

A similar exploit is the "Israeli Trojan" trick, in which supposed product demo CDs were sent to target individuals within an enterprise. Many would insert the CD without giving it a second thought. Today the threat actor might even make contact ahead of time, so the recipient is expecting to receive the disc or email, and is therefore more inclined to trust it.

Phishing attacks work well with social engineering. If someone in the accounts department receives an URGENT INVOICE' email towards the end of the month which looks legitimate, damage can be done with them simply clicking the attachment, especially if the extension has been spoofed to look like a .pdf.

Caller-ID spoofing involves making phone calls, or sending text messages, from a spoofed number which appears as a genuine contact to the recipient. Since the line of communication is already trusted, this approach is both subtle and dangerously effective.

Advertisement - Article continues below

One final approach which is estimated to have cost businesses $2.3bn according to the FBI is CEO scams. This can be email or another communication purportedly from the CEO sanctioning an urgent transfer of money. Cybercriminals using this method normally work hard to make the message look legitimate, and send it to a few carefully-chosen employees, increasing the chances of catching someone off-guard who will send the money quickly.

Picture: Shutterstock

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


digital transformation

Four ways CIOs can drive digital transformation

17 Jan 2020
Business strategy

CIO job description: What does a CIO do?

7 Jan 2020

How can you protect your business from crypto-ransomware?

4 Nov 2019
wifi & hotspots

How to boost your business Wi-Fi

22 Oct 2019

Most Popular

Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020

How to use Chromecast without Wi-Fi

5 Feb 2020
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020