Companies of all sizes are victimized by clever hackers regularly. Business email compromise (BEC) often occur simply because a smooth criminal posed as a trusted source.
You may have heard of the term “social engineering” before, and that’s essentially what it is: malicious “social engineers” using manipulation, deception and influence to persuade an employee or contractor into unwittingly disclosing secure information— or to perform an action which grants unauthorized access to your information systems.
And social engineering happens more than you think, as one of the top two techniques used by criminals to steal from organizations just like yours. Educate your staff on the real dangers of social engineering by showing them a few examples of how a hacker might strike:
1. Hackers target via phishing emails or phone calls.
One of the most common forms of social engineering is phishing, whereas a hacker attempts to get your employee to click or download a malware-injected attachment to infect a company device— giving the bad guys a doorway in. These crafty emailers often masquerade as important leadership heads, pretending to be a manager or vendor that your staff member can trust. They also often instill a sense of urgency to open a file or perform a specific task, or even use fear to rush the recipients into making a rash judgement call.
But phishing emails aren’t the only practice; some hackers use pretext phone calls, AKA voice phishing (vishing)— calling business extensions and posing as authoritative figures to get your workers to share secrets or insider knowledge that’ll help hackers steal information too. We’ve all received threatening voicemails from people saying you were late on a payment or breaking compliance, eager to get you to call back in a panic and share your personal information (PI).
Whenever your staff finds an email in their mailbox with an attachment, remind them to think before they click. If they receive a suspicious voicemail, research and call the company, to confirm the call was legitimate.
2. Hackers can imitate a contact in your phone and text you.
There’s been buzz around tricky text messages for years: whereas hackers spam phone numbers with intimidating messages that say things like, “$500 was just withdrawn from your bank account, did you do it? If not, call this phone number,” NBC News illustrated as an example.
But hackers have picked up new tactics, now using software to pose as a trusted contact— so that you never really know who you’re messaging behind the screen. In one live keynote, for instance, Kevin Mitnick shows how easy it is to spoof a text from your partner or friend, discreetly asking you to do something (about 50 minutes in).
A criminal can easily attempt this tactic by posing as you to your employees. They simply request an action and specify, “don’t reply right now, I’m in a meeting” or another excuse that’ll buy them just enough time to get what they want before the target notices anything suspicious. Because of this, it’s always best to ask your staff to call and verify any request out of the norm before complying. Instill this sense in your employees, or better yet, create a protocol to double verify any request from an authority figure via text or email.
3. Hackers can find an easy way in if they know a mother’s maiden name.
Have you ever been asked to share your mother’s maiden name during a security screening? This answer was once thought of as a big trip-up for bad guys who stole names and credit card info, stopping them in their tracks.
But today’s elite hackers can access a database with easy search functionality for maiden names. All the bad actor needs to know is a first and last name and a rough estimate of your age to find it. And with the massive amount of personal information on public social media profiles, it’s not too hard to fill in the blanks with PI commonly asked in security inquiries.
As always, requiring multi factor authentication is preferred to avoid false authorization into your account. Some professionals even recommend providing incorrect PI answers when filling out your security questions, and storing your responses somewhere for safe reference, so as to avoid your questions being guessed. Be very cautious of who you share your mother’s maiden name or other personal information with, both online and in person, for this seemingly innocent info could be used to gain entrance into private portals.
4. Hackers can use social engineering tactics in person too, by gaining false entrance or asking to plug in an infected drive or cable.
Hackers aren’t exclusively cyber predators: they can take physical action to gain access into your systems as well. Besides the obvious breakin where the bad guy steals files or devices straight from your office, others can walk right through your door and steal info right before your nose.
Bad actors can use a device to steal employee credentials off proximity access cards. Depending on the strength of their toolset, identify your individual staff member's Card and Site IDs just by standing a few feet or inches away from the person carrying the fob. These clever cyber thieves can then gain access to the building after hours, and plug into a server to steal information.
Or, in other more public settings, the criminals can create a doorway through your security by simply plugging in a malware-infected USB stick or cable into your employee’s computer. All it could take is a simple question, “Hey, can I plug this in to print something?” or, “Do you mind if I charge my phone on this laptop?” to quickly give them remote access to your worker’s desktop and company servers beyond. To avoid this type of social engineering scheme, always remind your staff to think before plugging an unknown device into their computer, and be stern about not allowing unknown drives or cables to be plugged into company devices.
Show Live Examples of Social Engineering Threats
Hackers are always developing new ways to trick innocent people into exposing sensitive information for monetary gain.
Are you confident that your employees would know how to spot a social engineering attempt if it happened to them? If not, why not show them what one looks like in person?
Kevin Mitnick and his Global Ghost Team™ deliver live hacking demonstrations before audiences small and large, revealing exactly how bad actors target people. More importantly, they show you and your team exactly what you can do to prevent it.
Learn more about our presentation, “How Hackers Attack & How to Fight Back” and book the world’s leading authority on social engineering to build better security awareness today.
