Social engineering is the use of deception to manipulate individuals into revealing confidential or personal information that may be used for fraudulent purposes. these cybercriminals are modern-day con artists and use social engineering as a non-technical strategy, relying on human mistakes.
It doesn’t matter how secure a network is or how complicated passwords are. The scary part about this is that a social engineer has the ability to get around all our latest and greatest and toughest cybersecurity protections because we trust them and we just hand over the direct access they need.
Social engineers use psychological manipulation to trick users into giving them sensitive information such as usernames and passwords or give them access to rooms or buildings.
It doesn’t matter how secure a network is
or how complicated passwords are.
For example, in October 2017, Yahoo disclosed that 3 billion user accounts were compromised. The compromised details included names, e-mail addresses, phone numbers, security questions (encrypted or unencrypted), dates of birth, and passwords. This data was also used to falsify login data, allowing hackers to grant access to any account without the use of a password. What’s more, the compromised data was also put up for sale allowing other cybercriminals to access this data as well.
How did this happen? One person fell victim to social engineering. That’s all it takes.
While the Yahoo example is probably one of the most widely known examples, social engineering affects companies with alarming frequency.
According to Cyber Edge, nearly four in five organizations were compromised last year.
Source: 2019 Cyberthreat Defense Report, CyberEdge Group, LLC.
CyberEdge also identified that two of security’s biggest obstacles are “Lack of skilled personnel” and “Low security awareness among employees”. In other words, people.
With close to 80% of companies affected by cybersecurity attacks, it’s only a matter of time before you and your organization are targeted — if you haven't been already. Social engineering is a huge part of your daily cyber threat, and it's important to have an understanding of:
- What it is,
- How it's used,
- What to look for, and
- How to protect yourself and your company.
In business, people are the most vulnerable point to security. Whether the attacker went through some people or just required one person’s details, it is remarkable how quickly any socially engineered attack can escalate.
So how does it work? Social engineering usually follows this pattern:
1. First, they study their target.
This can be done by tracking a person’s activities, habits, and interests. In today’s world, we all leave clues about our lives through what we buy, the information we post on social media sites like Facebook, the types of books we’re reading and even what we’re listening to.
2. Next, they gain the trust of their target.
It might seem like a random person is striking up a random conversation at the coffee shop who happens to have the exact same interests as you. Or the person could apply for a job, act as a trusted vendor or even provide assistance in some way. Anything to gain your trust and there are a lot of ways to gain the trust of an individual or even an organization.
Social engineers appeal to our interests, greed, frustrations, vanities, and weaknesses. In other words, the things that make us human.
3. Once we trust them, all they have to do is ask.
Here are some real examples:
- Someone posing as IT Support, using outside software to "help maintenance" your computer. They might imply that they’re with Apple, Microsoft, Google, some other well-known company or even one of your vendors.
- Someone asking you to hold the locked door for them because they forgot their ID badge.
- Someone posing as a friend on Facebook and sending you a link.
- Someone, again, seemingly a friend, sending you a video link with the text "Have you seen this video of yourself?"
- Probably the most common is someone posing as a contact and sending a phishing email. (The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.)
How to Protect Yourself and Your Company
There are a number of things you can do to help protect yourself and your company.
1. Get security awareness training for you and others in your company.
Help your company remove one of the biggest security obstacles by becoming more aware of security, how cyberattacks work, and what you can do to prevent them.
2. Slow down and become aware of what's happening.
We all have routines and habits. We make casual conversation. We hurry through some parts of our jobs. We don't hesitate to let this one friendly person that we’ve seen around into the building. We give the nice tech guy access to our computer. Once someone starts tracking our habits and routines, they can easily make their way into our peripheral without us even realizing it. We need to slow down and become aware of the who, why and when that we see every day.
3. Be “slightly” paranoid.
I'm not talking about going overboard with this, but yes, be paranoid about the person asking too many questions. Or, the person who is suddenly giving you lots of attention. When something seems fishy, question it.
3. Question certain requests or things that don’t seem right.
If an executive is suddenly contacting you directly to execute something you don't normally handle, question it. If someone is requesting information from you, question it. If you’re not expecting a file from a vendor, question it. If someone suspicious is in the building, question it. If your computer is behaving strangely, question it.
4. Say "no" until you have confirmation from someone you know you can trust.
It's okay to say "no" to letting that stranger from accessing your computer. To say “no” to sending that wire transfer until you have confirmation from another manager. To say “no” to allowing someone to have access to secure data until clearance is approved. If you're not comfortable with something, say "no" until you have confirmation from someone you know you can trust.
Call to Action — Safeguard Yourself and Your Company Today
Social engineering is a very important aspect of security awareness, but it’s only one of many parts that you and your organizations needs to know.
While implementing the information above could help save your company from a successful attack, there are many different types and forms of cyber threats. While some use the simple tricks of a con artist, others are becoming more and more sophisticated. Education is one of the best defenses available.
The Cybersecurity learning path from Ability Platform covers a range of topics including phishing emails, preventing identity theft, protecting devices and even what to do while traveling. Everyone in your organization needs this information.
This series of 16 lessons are easy to consume and fits into any busy schedule. While the video lessons can be taken in any order, they are organized into a series, offering a logical way to consume the training.
Each of the lessons averages under seven minutes and covers a specific topic. This allows employees to quickly understand how to protect themselves and the company and review the materials if they have questions later.
While our mission is for you and your employees to become a top performer in your industry we also want to ensure that you and your company are protected. We encourage your feedback, so please send us an email or call us at (800) 868-8039.
Want to evaluate our library of award-winning micro-learning, video-based lessons? Our courses are organized into 100+ Learning Paths by subject matter experts. Learning occurs whenever employees have 10-minutes or less gaps in their busy schedule. Click here and register for a Free 7-Day Trial today. Experience first-hand how good learning can become in your organization!
