While most IT Managers are pretty savvy when it comes to ensuring business data and networks remain protected, one of the biggest threats to IT security is also one of the hardest to prevent.
Social engineering attacks are sophisticated and extremely difficult for IT services to prevent as they target people rather than IT systems. Employee awareness and education programs are generally the best defence.
What is social engineering
Social engineering is essentially a non-technical method of intrusion that works on a simple principle: it's easier for scammers to trick people into handing over information, rather than hacking through IT security to take it directly.
These attacks pose a threat because they target businesses outside the scope of their IT defences. They bypass technical security measures when employees are manipulated into breaking normal protocols.
Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They might, for example, call an employee with some kind of urgent problem that requires immediate action. Appealing to vanity, appealing to authority, appealing to greed, and old-fashioned eavesdropping are typical social engineering techniques.
How an attack unfolds
Several of our clients have recently experienced a social engineering attack. The following is based off a real experience:
- Scammer finds generic information from company webpage (i.e. phone number and CEO name).
- Scammer calls the number and asks to speak with Accounts Payable.
- Scammer is transferred to Accounts Payable, where the employee will generally state their name.
- Scammer mentions he needs to email accounts payable for whatever reason and asks for their email address.
- Scammer now has enough information for a very basic attack.
Though this sounds simple, the scammer(s) may repeat this process several times. They will go to lengths that one or many employees would not expect. Using emails, phone calls or even information from LinkedIn, the scammer will build up information on a business. The resulting attack, that may include spoofing senior management email accounts, is difficult to detect due to the legitimate and often confidential information obtained. In some cases, scammers will also register similar domains - such as yourcompanyname.com rather than your authentic .com.au - to create the illusion of authenticity.
In this example, the Accounts Payable employee became aware mid-attack. The employee was emailed by the scammer regarding a 'proposed merger' with their company, asking only for a reply to the email. Alarmingly, the email contained information not publicly available. Meaning another employee had given out the info at some earlier point.
Education and awareness offer boosted protection
Despite the complex nature of social engineering attacks, many common scam signs can often be spotted:
- Generic or formatted emails, where your company's info appears to be the result of a 'fill-in-the-blanks' approach.
- Reply email address is different to the sender's original address. Scammers will do this as it is easy for them to send an email posing as a legitimate account. However they won't be able to access any replies, so they try to redirect them. Watch for email accounts redirecting to free, web-based services. This should set off alarm bells.
- Spelling or grammar errors.
- Any email requesting you to open a link or submit business information.
Remaining skeptical is often the best defence - if you receive a call or email with a request that seems unusual, just stop. It is acceptable to say you will get back to them. Start a new email using your own address book contact details, or call a number you know to be correct. This is simply good security practice.
Establishing or reinforcing internal processes can also help discourage social engineering attacks. Proper call screening and not providing internal names, phone numbers & email addresses to unknown individuals are effective roadblocks.