Understanding Social Engineering
Cyber security is constantly in the news, with stories of businesses and consumers being targeted and affected. Hackers are sophisticated, and in many cases backed by government or criminal enterprises in an attempt to steal national or trade secrets. In the digital realm, a successful defense one day may not work the next. Security professionals are constantly updating their techniques in an attempt to thwart the latest attacks, while the bad guys of social engineering change their tactics to circumvent any new defenses.
You may picture a hacker as someone hunched over a computer, furiously typing to try and “break in” to someone’s network. The reality is, many of the most successful and lucrative attacks begin with social engineering. Social engineering is when a hacker tries to fool you into running software, providing personal information, or otherwise collecting sensitive information through deceptive means. It might start with a phone call, or even just an email, but their tactic is to contact you in a social manner – hence the name “social” engineering.
Spear phishing is one type of social engineering attack that’s on the rise and affecting local businesses right here in Maine. Spear phishing is a technique where attackers will attempt to steal money, intelligence, or information using a carefully crafted message – targeted specifically to you. Notice I said “attackers”? That’s because spear phishing is big business for organized crime. Many of these assailants have companies with employees, work regular business hours and have customers. They want to steal your personal or your company’s information and sell it, or gain access to funds through wire fraud.
Since antivirus, spam filtering and traditional methods of security are useless in these types of attacks, your only defense is to recognize when you may be the subject of a spear phishing attempt. The methods used often follow some standard practices, and recognizing these will help you to identify a potential exploit.
The email originates from someone you know
This is how they immediately gain your trust and trick you into lowering your guard. The email might appear to originate from a colleague, business associate or even a vendor. They might ask you to wire funds, but to keep it quiet for business reasons. They may ask you to provide a password or other security related information. Often, the attack occurs when an executive is on vacation or otherwise unavailable. The key here is to scrutinize the email for any discrepancies, and to confirm these types of transactions verbally. Don’t assume it’s legitimate when money or sensitive information is at stake.
The message is specifically targeted to you
They know your name, your position, and family member names – like it or not this information is available on the web if you know where to look. They may reference company or personal information to further gain your trust. Now the message becomes more believable.
The message may appear as if a conversation has already happened
In the attempts I’ve seen, the email contains what appears to be a conversation between two executives, and the message looks to be forwarded from one of them. The recipient reads the thread and is convinced the message is legitimate. However, upon closer inspection, the email addresses are slightly different or the correspondence may seem odd.
Social Engineering Attackers are watching you
They might look at your Facebook page, your LinkedIn account, and your company’s webpage – all in an attempt to gather information. Information such as projects you’re working on, vendors you partner with, or trips an executive is making are useful for creating these types of attacks.
While spear phishing attempts are impossible to prevent, acting on them is preventable.
Create business practices that will prevent these types of fraudulent transactions from happening in the first place
In the case of wire transfers, having a protocol that requires two forms of confirmation – one of which verbal – can stop a potentially fraudulent transaction from taking place. Have a business policy and procedure in place that requires this confirmation.
Train staff on security awareness
Regular training for staff on cyber security awareness is essential to keeping them on the lookout. As hackers find new methods to trick people, keeping up with these tactics is critical to your defense. Security awareness training is available from online vendors as well as local consultants.
Limit the type and content of information shared online
Going to a trade show? Heading out on vacation? Keep this information off your social media accounts. Hackers monitor these and will use your absence from the office to target your support staff.
Change passwords regularly, and keep your systems secure
Hackers that successfully break into your email or network might wait for the perfect opportunity to exploit your business. They can intercept email messages, create false invoices or use your systems to exploit other companies. Keep your systems up to date and use modern security practices to maintain a secure environment against social engineering.