A client of mine was once saved from a serious case of theft by a security officer.
The officer had caught an hourly employee attempting to leave work with proprietary technology. When questioned, the employee said he’d been approached by a rival company. They’d offered him $5,000 to smuggle the tech off site and give it to them. Except when the attempted theft was investigated further, the case became more disturbing — the would-be thieves weren’t from a competing company, they were from a foreign government. And even more concerning, they’d planned ahead and used social media to target the specific employee, guessing that he’d be willing to steal for a payout.
My client had been the target of social engineering and had only narrowly missed becoming a victim.
What is social engineering?
Social engineering is the practice of manipulating people into giving up information, finances, or other assets. It’s a practice that covers a wide range of malicious actions, ranging from phishing (sending fake messages to entice a person to click on a malicious link) to full-blown cons targeting one individual. Like confidence artists, social engineers research marks, and play on human emotions — like fear, greed, or anger — to manipulate their victims.
In the case of my client, the criminals wanted their technology, so they Instagram and Facebook until they found an employee who had access to the component they wanted, and who also was making a low wage. The criminals rightly assumed that this employee would jump at the chance to make $5,000 rather than report the contact.
While social engineering has always been around, social engineering scams are on the rise. According to Verizon’s 2021 Data Breach Investigations Report, there have been more social engineering scams since 2017 —Verizon identified 3,841 in 2020 and about half of those were successful. The motives have mostly been financial, but some were related to espionage. The pandemic didn't help. In the early months of 2020, when COVID-19 was at its first peak, social engineering scams around COVID fears and especially COVID-related benefits hit a high.
How can social engineers breach your physical security?
Social engineers are always looking for the weakest link in your security. Those people are likely to be line-level employees, people who may not be aware that their online presence is being scrutinized for clues that will give a social engineer access to your site or your assets.
Ethical hacker and CEO of SocialProof Security Rachel Tobac demonstrated this on CNN last year when she used a reporter’s Twitter feed to hack his accounts, transferring airline miles to her account and giving him a middle seat on his flight home. By using the reporter’s public messages to the airline, she was able to learn which airline he’d been using and call them, pretending to be him. Tobac, who will be joining the CSO Risk Council for a social engineering webinar on Thursday, March 31, pointed out that social media can give her all the information she needs to know to gain access to accounts and other sensitive information.
So how does this apply to your employees? Think of the selfies your employees may post online during the workday. Criminals may see data from work, companies you use, and other important details. Even if you don’t allow photos onsite, remote workers may take pictures in or near their workspace at home. Items in the background — even a FedEx package on a desk — can give a social engineer a reason to send a bogus message. They know your business uses FedEx, and can use that information to phish your employees or reroute packages.
Social engineers also use the games played on social media — the ones that ask your favorite color, the street you grew up on, and your favorite teachers — to collect personal information about users. Many of those games are designed to collect the answers to common security questions.
What can you do to protect yourself from social engineering scams?
One of the most important things a business can do is to make sure your employees are aware that social engineering scams are a real threat, both to your organization and to them personally. This means developing a proactive culture of risk at your organization - you can read more about how to do that in this white paper. Such a risk culture is about more than education, employees should be tested monthly to see if a social engineer can get by them. Security has to take a lead role in this effort, creating processes that help employees verify the identities of contacts before granting access to information.
Tobac’s work is a good example of this sort of penetration test. Because she has a hacker’s perspective on social engineering she can discuss and demonstrate how easy it is to exploit people in person, over the phone, or by taking advantage of social media overshare.
Tobac will be joining the CSO Risk Council for a webinar on Thursday, March 31. Register here to learn more about social engineering and how to protect yourself and your organization from social engineers.