As the physical security in most organisations becomes increasingly impenetrable, criminals are turning to social engineering in an effort to circumvent these tough security regimes. Social engineering is an act of psychological manipulation and involves the manipulation of people into taking a particular action or divulging information generally for the purpose of gathering information or gaining access to commit theft or fraud. Social engineering can take many forms some of which we have highlighted below:
Phishing: Phisher sends an email to the target that appears to come from a legitimate source (a co-worker, boss, bank etc.) requesting that the recipient take some sort of action such as verification of information. The email itself might include Malware, so as soon as the email is opened, your PC or network could be infected with some unscrupulous software. Alternatively, the email might include a link to a fraudulent website where information such as password will be sought.
Quid pro quo: Meaning “something for something”, an attacker will call random numbers at a company claiming to be calling back from technical support. Eventually they might find someone with a genuine problem. The attacker will “help” solve the problem and in the process have the user type commands that give the attacker access or launch malware. In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen.
Pre-texting: This involves creating a scenario to engage a target and encourage them to divulge information that they would otherwise be unlikely to do.
Bribery: Offering money or a gift to alter the behaviour of the recipient. This method relies on the curiosity or greed of the victim but given the current economic climate the temptation for errant employees can be heightened.
Some attackers will go to extraordinary lengths to get the information they desire, including getting even getting a job at the target organisation. Most SMEs do not perform even simple background checks on new employees and whilst large companies will, but they not tend to be very extensive. HR managers are almost never trained on how to spot warning signs they might be hiring someone with malicious intent. Once you are on the inside you become way more trusted, even if you are a lowly clerk.
Social Engineering Countermeasures
The best way an organisation can protect its proprietary information from a social engineering attack is by educating themselves and their employees about what their organisation holds valuable. If all employees understand what needs to be protected, they can better understand how and from whom to protect it. Regular security awareness briefings should be initiated for all employees. Espionage awareness briefing can provide pragmatic information and guidance to both the board and employees and demonstrates simple and cost effective methods to ensure that secrets remain secret. Employees should be trained to verify the identity of a person who request sensitive information. If that person’s identity cannot be verified, then the employee must be trained to politely refuse the request.