Social engineering is about making you fail. But you can beat it.
Let’s talk about social engineering for a minute. And no, this does not mean masterfully planning the layout of your party to maximize guest interaction, minimize personality conflicts and keep the lactose intolerant from embarrassing themselves due to mislabeled food. Social engineering is the art of making people do things that will put themselves or others at risk, typically financially. It’s been around for centuries. The Trojan horse is a great example: cram soldiers into a giant wooden horse offered as a gift so they can get inside a walled city and bring about its downfall. Fast forward to the 20th century and we call people who do this impostors, swindlers, or con-artists. Today, they’re known as social engineers.
In the context of cybersecurity, social engineering takes many different forms. Phishing, spear phishing, whaling, vishing, pretexting, baiting, tailgating and quid pro quo are some of the ways that hackers use social engineering to manipulate and coerce people in order to infiltrate, steal from, and extort organizations.
But why use social engineering?
Because it works, time and time again. When it comes to cybersecurity, humans are our weakest link, as attested by a few facts:
- 90% of all breaches started with a phishing email
- Phishing emails nearly doubled in 2018 to the tune of 482 million emails
- Almost 1.4 million new phishing sites are created each month
- 30% of people will click on a phishing email
The emphasis hackers put on phishing or social engineering makes sense. Look at the alternative. It takes considerable time and effort to find holes in IT systems to exploit. Finding the weakened entry point can be difficult and time consuming. But if you use social engineering, all you need to find is the right person. And if you cast a wider net, you can get a few suckers trusting individuals caught in it.
If you think it’s rare to find someone naïve enough to fall for social engineering, see what happened to a reporter at DefCon, an annual hacking conference, when he asked to see social engineering in action:
Now, you probably don’t own a call center, so you’re not worried about this happening at your business. But email works just as well, if not better. Social engineers send out thousands of emails at once. And they can impersonate anyone with a fake email address that looks real. So, what can you do to protect your business?
Training is the key. If humans are the weakest link, then we need to help them make better decisions each day. Here are the things to remember when implementing cybersecurity awareness training:
- Be skeptical – train employees to doubt first. Are they expecting this email? Are they expecting an attachment? Is it worded correctly? Are there misspellings? If you’re not sure, get a second opinion.
- Research – train employees to do their homework. Look at the email address, the URL or the attachment. Is it the right type? What happens if you look it up in Google? You can do your own research for legitimacy.
- Verify – train employees that when in doubt, it’s best to pick up the phone and ask. Hundreds of millions of dollars could be saved each year by people confirming in person or over the phone if a wire transfer is legitimate. Many ransomwares could have been avoided by calling to see if an attachment in an email was intended or not. A call to verify is better than the alternative.
- Stay alert – social engineers know when we’re more likely to be vulnerable: at the beginning of the day before the coffee kicks in; at the end of the day when we’re ready to go home. Staying diligent all day is crucial.
- Be consistent – no one learns anything by hearing it once. It takes repetition. Keep training.
- Stay up to date – threats keep changing. Keep up to speed on what the latest threats are and how you can avoid them.
Social engineering isn’t going away. People are always going to be gullible and we can’t prevent every attack. But, with better training and visibility of social engineering, we can reduce the human element and keep our organizations and customers safe.