Social Engineering – It Can Happen To You

Real World Scenarios & Best Practices to Defend Against an Attack

One of the world’s most famous hackers defines social engineering as, “The clever manipulation of the natural human tendency to trust.” (Kevin D. Mitnick, 2003).

Social engineering is a successful way cyber criminals are infiltrating organizations. Through email, phone, texting and online platforms such as social media, attackers are using manipulative techniques designed to prey on the weaknesses of people and basic human nature.

“Employees are often the weakest link in the daily management of the corporate network security,” said Tom DeSot, Digital Defense, Inc., Chief Information Officer.

Knowledge is power, and an effective way to strengthen the security posture of an organization is to understand what social engineering is and methods to defend against a potential attack.

Two Types of Social Engineering:

Remote Social Engineering:
Cyber attacks performed via the phone, email or online to employees, suppliers and contractors with the intent to obtain information that could be used to gain unauthorized or falsely authorized access to a corporate network, resources or data.

Onsite Social Engineering:
Attacks designed to gain physical access to the premises obtaining records, files, equipment, sensitive information and network access.

Consider the people you meet in the workplace, the emails you receive, the calls that you answer – The official looking gentleman with the tool kit who requested onsite access to conduct system repairs; The phone call from IT asking to verify your employee number; The camera crew outside the front gate filming a corporate commercial; The email from management asking you to click on a link and enter your information to test the strength of your password – All scenarios may have been social engineers at work.

39% of incidents involved a negligent employee.

Social Engineers do not care if you are an entry-level employee or the CEO of an enterprise. These highly trained individuals leverage proven techniques to target all levels within an organization with the intent to gain access to sensitive information, destroy reputations and cost enterprises billions in clean-up and recovery.

Common Techniques Used by Social Engineers

Talks the Talk
A social engineer will take the time to study and learn the ‘corporate language’ of an organization. Acronyms or key phrases, for instance, when spoken to an employee, increases credibility.

Playing You Like a Song
After calling and recording the corporate phone ‘on hold’ music, a social engineer will use this audio to his advantage. By putting an employee on hold using the same corporate hold music, it validates his story that he is calling from a department within the company.

A Good Connection Gone Wrong
Posing as a potential business contact on LinkedIn, a social engineer will use the social media platform to send unsafe links in messages to connections.

Spoofing a Phone Number
Social Engineers will spoof phone numbers to make a different number show up on the target’s caller ID.

Through education and awareness, employees can be the most valuable asset on the frontlines of defending against a cyber attack.

Tips & Tactics to Defend Against Social Engineering Attacks:

  • Be friendly but cautious. A social engineer preys on a person’s willingness help others.
  • Be suspicious of emails asking you to “verify” your account.
  • Do not leave your computer unlocked.
  • Be wary of website addresses with misspelled words, or where numbers are used instead of letters.
  • Type the website address into your browser to view vs. clicking on a link shared via social media or email.
  • Get to know your co-workers and clients and beware of impersonators.
  • Ensure proper credentials of those requesting access onsite and to resources material.
  • When leaving for the day, don’t forget to lock up sensitive data.
  • Remember, social engineers use social media sites to gain inside knowledge. Be careful what you post online about your work practices.
  • Be aware that Out of Office messages can be used for reconnaissance, so keep them brief and to the point.
  • Be suspicious of unsolicited phone calls asking about employees or other personal information.
  • Dispose of documents with sensitive data by shredding material according to corporate policy.
  • Avoid completing online forms that ask for personal information such as your date of birth, social security number, or other confidential information.
  • Be wary of alarmist email messages with urgent requests.

Following these tactics and encouraging awareness and vigilance can reduce your organization’s risk and exposure to a social engineering attack.

Submitted by: Larry R. Hurtado, Digital Defense, Inc.