It is easy to ignore some of the latest modern trends and terms when you have reached a certain age (what is Facetime?), but it is well worth getting to know about
‘Social Engineering’. It is not just arranging your social calendar.
Social Engineering is, in the context of information security, the psychological manipulation of people into performing actions or divulging confidential information. It is happening all the time, it is big business and it is also frighteningly easy.
It is the modern equivalent of the con trick or swindle and not just preying on the elderly or the gullible, but now also the busy. The fraudsters are after your data, your money or the opportunity to plant ‘ransomware’ in your system before making extortion demands.
Rather than breaking through firewalls and antivirus software it is now as easy for fraudsters to get the information they need from people who are already inside, that’s you and your staff.
They use techniques that are systematic and specially crafted to abuse how our brains work, with messages from authority or appeals to our vanity, greed or willingness to be helpful.
Information is usually obtained bit by bit, ie log in, password, bank limit etc and most commonly, fraudsters use phishing (fraudulent emails designed to look legitimate to trick you into divulging information) and spear phishing (emails tailored to an individual or organisation), but also ‘vishing’ for information by telephone.
For larger companies, fraudsters will take the risk of entering the premises, often masquerading as computer engineers to fix problems. They ‘tailgate’ authorised employees (who often kindly hold the door open for them) into the building and may rarely be challenged, even if they have no ID. Once in, they can obtain passwords by watching what an employee types (shoulder surfing), although often that is not necessary. People are too trusting and don’t like to offend, so ask someone to enter their password a few times and they generally will give it up to the fraudster, to save them asking again.
Other tricks include baiting where a USB or memory stick containing malware is left for it to be found and when the inquisitive finder plugs it into their computer to find out what is on it, the malware is automatically loaded on to the system. Fraudsters are also not averse to going through bins and even sticking shredded paper back together (it should always be cross-cut).
So how can you protect yourself and your company? Making staff aware of the problem and the types of tricks to look out for is a must, as are clear policies on information sharing. If ID is worn, then it should be worn by all and it should be made clear that it is not only ok to challenge, it should be the norm. Likewise, it should be the norm to report any suspicions.
With the phishing emails staff need to be wary about requests for information and check the email addresses, which may just have one different character. Emails appearing to be from management with requests to make payments need to be scrutinised carefully or verified. These generally fail because the fraudsters haven’t got the language quite right and frequently it’s because they are too polite! Another common scam is to receive an email from a customer or supplier with a change of bank details. Always get these verified and do not phone the number on the email. One of our clients did and guess who confirmed all was ok?
It is easy to be caught out and the worst case I have heard of so far is a Financial Director of a large company who over a period of months gave all of the company banking information away, including his own log in and password to a phishing scam. The fraudsters got away with £900,000!
You won’t find ‘social engineering insurance’, but cyber or crime insurance is available to cover most of the risks I have mentioned. There is a factsheet about cyber insurance on our website with more information.