In 2013, a number of the Associated Press employees received a phishing email.  Upon clicking on the link in the email, employees were asked to enter their staff ID and password, and some did just that.  The attackers then gained access to AP’s Twitter account and posted a tweet: “Breaking: Two Explosions in the White House and Barack Obama is injured.”  The Dow dropped 150 points that day.

Phishing is a type of social engineering.  In 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints, recording over $3.5 billion in losses to victims – both individuals and businesses.  Phishing, non-payment/non-delivery scams, and extortion were the most popular types of reported internet crimes.

Social engineering: what it is

Social engineering is a criminal practice that uses human behavior and psychology to gain access to data.  While hackers exploit software weaknesses, social engineers exploit human errors.

Types of social engineering

These are some of the most common types of social engineering:

• Phishing: using an email to trick a user into clicking on a link or an attachment.  Such emails appear to come from a familiar source – a colleague, a bank, etc.  They encourage users to click on a link or open an attachment.  The intention is to either install malware on the user’s device or get the person to reveal personal information by, for example, filling out a form.

• Baiting: dangling a “bait” in front of users in order to gain access to data.  These attacks can be both digital and physical.  For example, you may receive an email offering a free set of golf clubs if you log into their website using your Facebook account.

Or, say you work for a government agency, and you receive a USB drive in the mail, marked “URGENT AND CONFIDENTIAL.”  Upon inserting the USB into your computer, a piece of malware is automatically installed on it, giving attackers access to your data and, most likely, the entire network.

• Pretexting: in this type of social engineering, attackers create a story – a pretext – for contacting a user.  The goal is to get this user to take a certain action.  For example, an attacker impersonating an IT specialist will ask users to share their log-in information to fix an urgent issue.

• Scareware: a “warning” type of message that users receive in the form of an email and, most often, pop-ups, alerting them of malicious content on their device.  The goal is to get users to click on the message, which then prompts them to a website that asks for personal information or urges them to buy an “anti-virus” software.

• Vishing: same as phishing, but executed via voice – phone calls.  A user may receive a call notifying them of a “security breach” of their bank account, asking them to use the dial pad to enter their information in order to “confirm their identity.”

• Spear phishing: a more elaborate phishing attack.  Spear phishing attacks often target a specific person or organization.  The emails are highly personalized, and the attack can unfold over weeks, if not months, slowly building up trust and gaining access to more and more information.

What you should teach your employees to minimize the risk of social engineering attacks

Social engineers are crafty, patient, and persistent.  Because they exploit human nature, having a top-of-the-line cybersecurity system in place may not be enough – although that’s a must.

Make sure that you regularly educate your employees on how to spot and deal with social engineering attacks.  Furthermore, make it a part of your training for new employees on day one.

1. Never, under any circumstances, insert a USB drive or a CD into your device when they come from an unknown or suspicious source.
2. If it sounds too good to be true, it most likely is.  Be wary of enticing offers.
3. Do not click on a link or open an attachment from an unverified source.  If it appears to be from a colleague, yet something is different about that email address, do not engage.
4. Don’t act impulsively.  Many of the attacks count on our natural tendency to quickly respond to things.  Such attacks often press urgency, e.g., “Offer expires in 3 minutes!”
5. Never share your information over a phone, text message, or email.  Your bank, an IT provider, or other vendors will never initiate contact with you and ask for that information in this manner for this very reason.
6. Do not ever disable the anti-virus software.  It is there to protect you from such attacks.
7. Enable a multifactor verification for your accounts.  This will reduce scammers’ chances of successfully gaining access to your account.
8. It’s always better to be safe than sorry.  If you suspect that something is off, report it to your superiors or IT staff.

Furthermore, continuously and proactively test the effectiveness of your employee cybersecurity training by simulating phishing and vishing attacks, allowing your IT team to gather information on the specific weaknesses in your organization’s training strategy.  Try leaving ‘baits’ around the office – e.g. USB drives – that will trigger an alarm at the IT department when inserted into a hardware device connected to the system.

Additional actions to take to protect your organization

Ponemon Institute found that 42% of organizations use the sticky-note system to manage passwords. Yes, we’re talking about the write-a-password-on-a-sticky-note-and-post-it-on-your-screen method of remembering passwords.  This practice seriously compromises your cybersecurity.  What if a guest walks by and records this information to use in a cyberattack?  What if a video recorded by an employee inside the office accidentally captures this information and the video is then posted on YouTube?  In addition to educating your employees on all the reasons why this practice is so dangerous, regularly check if the system is continued to be utilized.

Since email is one of the most common mediums for social engineering attacks, make sure to invest in a robust email protection tool that will block suspected threats and scan attachments before this email shows up in your employee’s inbox.

Finally, go over your current management system of physical access and identify weaknesses.  Map out the location of restricted areas or systems and implement a closely-watched access system and hierarchy.  Limit access to only qualified staff.  Put these systems in a separate location, under lock and key.  Always require visitors to present a valid ID and record their information.  Monitor your critical systems with cameras and sensors.  We can’t emphasize enough the risk your network faces in the absence of strict policies for the physical security of your systems.

Social engineering results in billions of dollars in losses because it works.  It’s a numbers game.  Make sure your employees do not jeopardize the safety of their data and that of your organization by educating them on responsible practices.