Hacker-Proof Your Business: Social Engineering

Hacker-Proof Your Business: Social EngineeringNever heard of social engineering? Well, the hacker trying to get at your business’s data sure has. TechTarget defines social engineering as:

A non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.

As I pointed out in part 1 of our Hacker-Proof series, hackers are actually pretty smart. They not only know how to code, but they know how to trick users into falling for scams.

But hackers don’t always use technology to break into your system. Sometimes they simply use conversation.

Hazards in Your Inbox

Be wary of emails from unknown recipients — especially those that ask probing questions about your organization or someone’s role within the company.

Some scammers will attempt to appear as a vendor trying to glean information. The particular information they are gathering compromises your system and gives them what they need to break in. These people are usually very good at what they do. Their conversation will be polite and seemingly legitimate.

Your personal email isn’t off-limits to this type of behavior, either. Recruiters are notorious for blowing up our inboxes these days, and social engineers know this! It doesn’t take a genius to impersonate a recruiter – and remember, hackers are smart.

Though this is more of a phishing scam than a social engineering attack, it’s worth noting here because too many people still fall for it: the fake “your password needs to be reset” email. Beware of these emails from scam artists!

I got this email the other day that looks VERY official, and if I wasn’t paying attention I might even click on it.

card security procedures

But there were a few things that tipped me off right away.

  1. There is an attachment. Always a red flag!
  2. It asks me to download and save the attachment. Major red flag!
  3. It tells me to open the attachment. Obviously, this is how the virus is activated.

I hovered over the “from” address and it showed the sender as Americanexpress@aecom.com. I knew “aecom” was probably not an AmEx address – and a Yahoo search confirmed it.

yahoo confirms it

Dangers Lurk Outside Your Inbox, Too

Social engineering isn’t limited to emails. Hackers also use social media, phone calls and even in-person visits to your company site. However they can pull you into a conversation most easily.

Some examples we’ve seen are false on-site technicians, fake LinkedIn and Facebook groups, and phone calls from bogus financial institutions.

How to Protect Yourself

The first thing you can do to protect yourself from a social engineering hack is to be skeptical. Never give out confidential information – or even seemingly non-confidential company information – without verifying the identity of the requestor first.

The second thing you can do is to be aware of common tricks. For example, no legitimate financial institution will ask for your social security number or system password over the phone. If someone you don’t know asks you for that information, it’s a red flag.

I am going to assume that you’re using strong passwords on all your systems, and you’re updating them frequently. (Ahem.) If you feel like you might have been the victim of a social engineering hack, change your passwords. Then let your IT staff know about the situation immediately so they can minimize the damage.

Don’t have an IT team that can come to the rescue in the case of an information security threat? Let’s talk!