Social engineering is a trendy phrase in the world of cybersecurity.
But social engineering is nothing new. From famous social engineers like Ulysses and his Trojan Horse to encyclopedia salesmen pounding the pavement forty years ago, convincing people to do something that may not be in their best interest is a timeless profession.
Research in the Open Journal of Social Sciences defines social engineering as a psychological exploitation used to manipulate human emotion and weakness to carry out various fraud on unsuspecting people. In the world of cyber crime, that translates to carefully crafted emails, Internet scams, and phone calls aimed at gaining access to what hackers consider to be valuable data.
It comes in all forms
Heather Engel, Sera-Brynn executive vice president, says social engineering in today’s Internet-based world can take on many forms.
In phishing emails, scammers can take a general approach meant to prey on curiosity, or a carefully crafted one aimed at luring people in through trust. Sera-Brynn often tests a business’ risk of falling prey to social engineering as part of a penetration test, evaluating how easily employees can be enticed.
One common real-world tactic, Engel says, are emails promoting some kind of service, social media connection, or new information meant to get them to click on what in a real-world-scenario would be an infected link. Sending the message from someone recognizable, such as a colleague or manager is another way to bring down an employee’s defenses.
But sometimes cyber criminals want to cast a wider net. That’s when they use something Engel refers to as “malvertising,” or fake advertisements slinging malware. When a curious employee clicks on the link of a pop up “malvertisement” or visits an infected site, his or her computer could be at risk if it’s not properly protected and patched.
And don’t think for a minute that scammers don’t still use old-school tactics. Engel says Sera-Brynn routinely tests businesses for risk of social engineering through phone calls and even in-person scams.
“It’s amazing what information you can get out of people,” Engel says, adding this is especially true of employees in customer service. “Because of the nature of their job, they are trained to want to assist, making them front line targets of social engineering.”
Creating a security culture
Your business can have all the firewalls and defense systems in the world, but the human element in any organization always has the potential to be the weakest link.
“Social engineering is one of the easiest ways to attack a network or business,” Engel says. “And social media plays an important role in helping criminals understand their victims – it makes it very easy to get to know your mark.”
The most important thing businesses can do to avoid such incidents, Engel says, is to educate employees and create a culture of solid security habits. Identifying and communicating red flags helps employees know what to look for to determine if an email, link, phone call, or in-person interaction is a legitimate business transaction.
“If we don’t teach them, many employees simply don’t know what to look for. And companies should also explain what employees are protecting and why it is important – for example personal information on customers, business intelligence, or client confidential data. “
“You have to create a security culture where employees understand what to look for and why they may be a target, while emphasizing the many different ways social engineering could happen to them,” she said.
Ensure your business has a policy for social media, and educate employees on social engineering. Engel says if you receive an email from someone you know but weren’t expecting, pick up the phone to confirm they sent it. And Engel says reputable companies won’t ask for personal information through email.
“You won’t ever get an email from your doctor that will ask you to respond with personal information.”
Are your employees wise to social engineering?