Social engineering: The biggest security risk to your business

It's not your network, but your own well-meaning employees that could be the gateway for hackers

Most businesses have spent time and money educating their employees on the threat of phishing emails. Many attempts are clumsy and riddled with mistakes and typos, making them easy to spot and delete before any harm is done.

But social engineering scams - when cybercriminals target specific departments and users with communications tailored to look like they come from a senior figure, supplier or job applicant - are on the rise and are much harder to spot. Let's dig a little deeper into this worrying trend and the impact on businesses.

Social engineering? Sounds sinister.

It is, but not in an Aldous Huxley, Brave New World kind of way. The dictionary definition would be something like: "Deception with the intent of gaining confidential information for fraudulent purposes." In practical terms, this typically means someone trying to trick you into sharing your login credentials, or installing malware.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Ah, you mean like phishing. Isn't that a consumer problem?

Phishing is one social-engineering trick, but the definition includes any attack methodology that relies on trust and deception. And it's certainly not merely a consumer problem: when Imperva researchers set up honeypots to attract phishing attacks, they found that business data was highly sought after, with 25% of the attackers going for business-related targets.

So what types of attack do we need to look out for?

We're all familiar with scattergun phishing emails, but you should also be on the alert for highly targeted attacks ("spear phishing"); these can be much harder to spot, because they appear to come from a trusted source and include information specific to the recipient.

Then there are those telephone calls pretending to be from Microsoft support, that actually want to gain remote access to your computer. And don't discount the possibility of someone walking confidently into your offices, smooth-talking their way past the reception desk and gaining physical access to your IT systems.

Surely not many people fall for these tricks?

Advertisement - Article continues below

The trouble is that a social engineer only needs to fool one person in your organisation to gain access to your networks and data. Indeed, talk to any IT security professional and they'll tell you that most data breaches today start with a social engineering attack of some kind. It's often much easier to exploit an individual than to mess around with technical hacks.

So what should we do if one of our employees falls for a social-engineering attack?

Well, don't blame them. Employees are only human, and in most cases they're trying to do the right thing. MWR InfoSecurity did some simulated phishing research last year, and found that spoofed emails, supposedly from the HR department of their organisation, fooled nearly three-quarters of recipients into clicking a phishing link and providing their credentials.

For similar reasons, social media is often a channel for social engineering, as it provides a ready-made network of trust. The same researchers found that when an email (even one sent to a work address) requested the recipient to connect via a social media channel, roughly 25% clicked the included link. This led them to a fake login screen where 54% gave their credentials of whom 80% then downloaded a malicious executable.

Advertisement
Advertisement - Article continues below

Is there a technical solution we can deploy?

Unfortunately, it's not as easy as just installing product x, as social engineering targets people as much as computers. There are technical solutions that should be part of your defences such as two-factor authentication, to defeat password stealing, and disabling remote access to files and servers where it's not needed. However, all of this needs to be deployed in tandem with user awareness training.

Advertisement - Article continues below

What's the best way to make users aware of the risks?

As is so often the case, the best way to learn is through experience. There are many organisations that provide phishing simulations, to show users how they can get fooled and help them recognise such situations when they occur for real. Again, though, don't blame staff if they do get tricked: that only isolates them from the security process, and you'll get better results not to mention a happier workforce if they feel trusted and involved with company security.

Five classic social-engineering tricks

USB seeding is where malware-infected USB sticks are dropped outside a target building, or even left on tables in reception or at a local coffee shop frequented by employees. Far too often, a curious finder immediately plugs the stick into their work PC, and boom goes your network security.

A similar exploit is the "Israeli Trojan" trick, in which supposed product demo CDs were sent to target individuals within an enterprise. Many would insert the CD without giving it a second thought. Today the threat actor might even make contact ahead of time, so the recipient is expecting to receive the disc or email, and is therefore more inclined to trust it.

Phishing attacks work well with social engineering. If someone in the accounts department receives an URGENT INVOICE' email towards the end of the month which looks legitimate, damage can be done with them simply clicking the attachment, especially if the extension has been spoofed to look like a .pdf.

Caller-ID spoofing involves making phone calls, or sending text messages, from a spoofed number which appears as a genuine contact to the recipient. Since the line of communication is already trusted, this approach is both subtle and dangerously effective.

Advertisement - Article continues below

One final approach which is estimated to have cost businesses $2.3bn according to the FBI is CEO scams. This can be email or another communication purportedly from the CEO sanctioning an urgent transfer of money. Cybercriminals using this method normally work hard to make the message look legitimate, and send it to a few carefully-chosen employees, increasing the chances of catching someone off-guard who will send the money quickly.

Picture: Shutterstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/digital-transformation/31168/four-ways-cios-can-drive-digital-transformation
digital transformation

Four ways CIOs can drive digital transformation

17 Jan 2020
Visit/government-it-strategy/28305/ir35-news
Policy & legislation

Government announces review of IR35 off-payroll changes

8 Jan 2020
Visit/strategy/28223/cio-job-description-what-does-a-cio-do
Business strategy

CIO job description: What does a CIO do?

7 Jan 2020
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020