Social engineering poses one of the greatest threats to the security of a company. This article explains what social engineering is and how it can endanger your company IT. We’ll also be looking at measures you can take to protect yourself and your employees against social engineering attacks.
How social engineering works
Social engineering is a blanket term for various types of attack which primarily deploy non-technical methods to gain access to buildings, systems and information. The first target in an attack of this nature is always a person. Deploying psychological tricks is the ‘in thing’. According to the 9th Cost of Cybercrime study conducted by Accenture and the Ponemon Institute, last year alone saw an 18% increase in cyber attacks, and 4% of these involved ransomware. If a social engineering attack is successful, ransomware often lurks behind. The 40 German companies who took part in the study reported financial losses totalling $13 million. For the German economy as a whole, the total damage is likely to have been much higher.
Primarily, two techniques are used to wheedle personal details and company information out of employees: phishing and vishing (voice phishing).
Phishing
Phishing (a play on ‘password hacking’ and ‘fishing’) describes a wide range of techniques used to steal confidential data from companies and private individuals, or infiltrate their computers with malware. Every phishing attack offers the victim ‘bait’ – by appealing to a certain need or emotion, and by exploiting the target’s trust or naivety. Attackers offer victims this digital bait via (spoof) emails, (spoof) websites, messenger services, social media and – increasingly – apps on mobile devices. Many of these attacks are conducted as wide-spread campaigns and target a large number of arbitrary victims in the hope of stealing private data. Nonetheless, there are others which target individuals very specifically. These attacks are known as ‘spear phishing’, or ‘whaling’ if the victim is particularly high profile. Due to their highly specific nature, both of these forms of phishing are extremely dangerous for companies.
In general, a successful phishing attack takes the following course: an employee opens an apparently harmless email. They then either click on a link which leads to a malicious website or open an attachment which contains a malicious code. Sadly, this is all it takes to endanger your entire system. Thanks to social media and other online resources, a great deal of information on your personal interests, your employees and your company is freely available. As a result, phishers are able to address people by name and tailor their messages to look deceptively genuine. In turn, this means that your employees are more likely to open the mails and click on links which they ought to avoid at all costs.
Vishing
Vishing takes the scam to a new level. The attacker calls someone – normally, someone in your company such as an employee on the IT help desk – and discloses a small amount of information about a third person (name, date of birth) in order to get login details or more information about that person (e.g. employee reference number, their private email address). The attacker may make multiple calls, extracting snippets of information each time which they can later use to make a targeted attack on the person in question – or even to impersonate that person. This phenomenon has become known as ‘CEO fraud’.
What you can (and should!) do
Security guidelines and operating procedures alone are not capable of protecting critical resources. Social engineering attacks are becoming more and more sophisticated, with new employees being far more vulnerable to external attack. So what’s the answer? Due to the nature of these attacks, it’s wise to take a two-pronged approach. Firstly, use protective technology; and secondly, raise awareness amongst your employees.
Three steps to raising awareness amongst employees
We titled this article ‘Humans – the weak link in the chain.’ Social engineering specifically exploits human trust and human fears in order to steal information. So by making your employees understand the most common forms of attack and making them aware of security and data protection issues, you’ve effectively covered the first weak spot in your line of defence.
- Begin by ascertaining the current level of awareness in your company on IT security and social engineering. Help your employees to understand why discretion is vital for the security of the company.
- On a regular basis, organise workshops and conduct tests for ‘high risk’ employees and/or the most common behaviour patterns. And be aware that ‘high risk’ does not necessarily mean uninformed. Employees with lots of power and lots of access rights are the most attractive victims.
- Use a combination of interactive training methods and simulated social engineering attacks to empower your employees and teach them not only to recognise potential threats, but also to respond with the right security decisions.
Emergency measures: things you definitely need to know
The following list contains an overview of the things you need to know in order not to fall victim to a social engineering attack.
- Social engineering emails generally display one or more of the following characteristics:
- the addressee is urgently requested to disclose personal or financial information;
- the addressee is threatened with ominous repercussions if they fail to respond;
- the addressee is urged to keep the email confidential;
- the sender is unknown. Often, reasons are given for the above (‘Can’t access the company server at the moment…‘ / ‘I don’t want people to know about this, which is why I’m using my private address…‘).
- Monitor your online business accounts on a regular basis to make sure there are no unauthorised transactions. The two-man rule makes sense here. If you receive a dubious transfer order via email (and you can never be fully sure where a mail has come from!), at least two employees should agree to the transfer.
- Include your digital signature in your emails. This has two advantages: 1) Firstly, the recipient can use a signature verifying algorithm to verify the identity of the sender. Secondly, the recipient can use the public key to verify the authenticity of the actual message.
- Always encrypt your emails. Never click on an unknown link, and never download files or open email attachments from unknown senders. Unfortunately, this is equally true in a business context. If you don’t know the contact, you didn’t ask for the file, or you didn’t personally agree to receive the file – then step carefully. Naturally, we’re not talking about everyday interaction with customers here. We’re talking about attachments to unsolicited advertising mail – and this applies most particularly to any junk mail that lands in your spam file. These are particularly dangerous and you should proceed with the utmost caution.
- Make sure your connections are safe, and only complete online transactions on websites that use https.
- Never disclose personal details over the phone. Distrust any email that urges you to contact a particular phone number in order to update personal details.
- Never disclose personal or financial information in an email.
- Distrust all online forms that request personal details, even if the email or website in question seems authentic. Phishing websites are often exact copies of real websites.
- Use spam filters, anti-virus software and firewalls, and make sure your systems are always up to date.
- If you use social networks, never trust a stranger. Restrict the amount of personal information you disclose. Never upload personal information such as upcoming holiday plans or photos of your house. Any details you share can be used to steal your identity.
These measures – or basic rules – create a solid basis for handling information securely. Stay on the ball, and read the latest blogs and websites on security issues to find out about the most recent tricks and threats.
BYOD security
The precautionary measures detailed above are particularly relevant given the trend for companies to allow employees – almost as a matter of course – to use their personal mobile devices for business purposes.
This trend has various advantages, but also distinct disadvantages. One advantage, of course, is that using a private device saves time and money. You don’t have to spend time or money buying the device, because it’s already there – added to which, the employee already knows how to use it.
The disadvantage: few employees subject their devices to the same rigorous security standards that apply in the business environment. Passwords may be unsafe, the user may download apps from unknown sources, and the device may be borrowed by a friend or family member. All these pose security risks when one and the same device is used both professionally and privately.
Technological precautions can’t prevent social engineering. But applied wisely, they can make social engineering less likely to succeed. And above all, they can minimise the aftermath in the event of a successful attack. At the same time, you need to have a certain basic level of technological protection in place. Because if your employee’s mobile device falls into the hands of an attacker, it can be used as a weapon against you.
The Materna Virtual Solution approach
Materna Virtual Solution offers technological measures which considerably increase your level of protection for mobile work. The SecurePIM container app enables you to create separate virtual environments on your employee’s mobile device. These completely decouple business content from private content. Hence, if the device has security gaps, they will no longer affect the security of your company. SecurePIM does not affect the operating system or any private applications on the device; these cannot interact with the company IT.