IT security isn’t just about protection from digital threats. One of the most commonly overlooked aspects of security is protection from social engineering – the art of manipulating people into disclosing sensitive information. In fact, these attacks often are more dangerous than traditional threats, since they often go unnoticed and provide the malicious person with the same access as your internal staff. While social engineering attacks come in many forms, the common thread is that they involve an attacker posing as a legitimate party. Whether it’s a bank, IT company, manager, or even a colleague, these are the types of attacks that are difficult (if not impossible) for software to detect.
Common Forms of Attacks
The list below is a brief overview of the most common types of social engineering attacks:
A malicious party sends a fraudulent email posing as a legitimate one. Common examples include emails containing fake bank login links.
Similar to phishing, except these emails target an individual or company. An example is a fake corporate portal login sent to an executive or manager.
One party lies to another to gain access to a system. For example, an employee might receive a call from someone posing as a customer requesting account information.
An attacker leaves a malware infected device (usually a USB drive or CD) where it will be found. When the device is loaded on the computer, it triggers the malware.
As the name implies, this is software that makes the user think they’ve downloaded malware or are being hacked. Fake anti-virus programs make up the bulk of these attacks.
The Psychology Behind the Threats
Successful social engineering attacks are more than a malicious person posing as someone else. There needs to be a trigger that causes the victim to temporarily let their guard down. According to the SANS Institute, the top seven psychological triggers are:
The strong affect: triggering a strong emotion such as anger or fear, causing the victim not to be as skeptical
Overloading: receiving information so fast that the mind can’t keep pace and goes into a passive mode
Reciprocation: the human desire to return a favor when someone helps them
Deceptive relationships: building a relationship by appearing to have the same goals, interests, or other things in common with their victim
Diffusion of responsibility and moral duty: the victim feels they’re not responsible for their actions
Authority: a victim follows orders because they believe it’s orders from someone above them
Integrity and curiosity: sometimes people will answer questions honestly because they don’t want to lie
Protecting Your Business
Here are some practical guidelines for protecting your business from social engineering attacks.
Create Clear Policies
Whether your business is large or small, you need to set clear guidelines on the types of information staff can access and who they can share it with. Ideally, you could assign a specific person to handle communications with outside vendors and contractors. As mentioned earlier, anyone can fall victim to a social engineering attack. By minimizing the amount of information a single person can access, it becomes much more difficult for an attacker to do serious amounts of damage.
As a rule of thumb, you should assume that anyone who can access your computer has access to all your information. While data centers require extensive precautions such as closed server racks, biometric access controls, and 24×7 security, most freelancers and small businesses don’t have those resources. More practical measures you can take include encrypting your files, using two-factor authentication, locking your BIOS, and installing remote wipe/tracking software on all your equipment.
Industry Best Practices
Although not specific to social engineering attacks, you should always follow security best practices to avoid threats and mitigate breaches should they occur. Aside from the previously mentioned tips, you’ll also want to consider evaluating the network security of your web host.
Overall, the key thing to remember is that all your team members, staff, and employees need to be educated on these threats. Ultimately, the best security measures are only as good as the weakest link in the chain. While your IT teams devote their time to security, most other professionals have to focus on their jobs. This is why you should have some level of checks and balances to reduce the burden on any one person.
Not Just a Business Threat
Even if you’re not a key employee, you still need to stay alert for potential social engineering attacks. Identity theft is one of the biggest threats to consumers today, yet many individuals aren’t aware of the potential damage. Aside from the typical cases of losing money, victims even have had their medical and criminal records affected.
Medical Identity Theft
As data breaches continue to become more frequent, identity thieves are now filing false claims with insurance companies, and even getting medical procedures for treatments under other people’s names. This type of theft is becoming more popular due to medical providers moving to electronic records, and standard retailers tightening their security procedures. Health data also sells at a premium on the black market compared to credit card numbers and other types of personal information. It’s a fairly specialized type of social engineering, but Forbes has a clear overview of the topic and ways to mitigate the threat.
Criminal Identity Theft
This is the worst-case scenario anyone can face in their life. Criminal identity theft occurs when an imposter provides a victim’s name and personal information (birthdate, social security number, or driver’s license number) to the police during an investigation or an arrest. In most cases, the fake identity is used during a traffic stop or something mundane where a citation is issued. While the malicious person signs the paper promising to appear in court, they never show up. This can result in a bench warrant on the victim for not making the appearance. Even if arrests aren’t made, the false citations can show up in background checks and even driving records.
Protecting Your Identity
A simple search on identity theft topics shows dozens of so-called identity protection services which promise to protect your credit, usually for $10-$30 per month. Many of the services claim to monitor your credit and bank accounts for suspicious activities. Additional services commonly include court record monitoring, data breach notifications, sex offender registry requests, and complimentary copies of your credit reports.
Is It Worth the Money?
The short answer here is no, identity theft monitoring services typically are not worth the money. Most of these services simply automate stuff you can do yourself. Checking your financial statements every month, shredding sensitive papers, opting out of pre-approved credit offers, and checking your credit score once a quarter should be enough to spot the most common attacks.
If you’re still thinking of signing up for one of these services, you also should note that governments have been investigating many of the protection companies for false marketing. Lifelock, for example, had to pay $100 million back to consumers as part of a court order from the US government. If you ever feel you are the victim of identity theft, you should check if your government has resources dedicated to the issue. The Unites States, for example, has IdentityTheft.gov.
The main thing to remember with any type of social engineering is that it impacts children, adults, and corporations. As we continue to move towards an increasingly computerized world, it’s essential for everyone to have a handle on their physical and digital identities. As with most security concerns, education is crucial to preventing issues down the road.
If you have any experiences to share regarding social engineering – such as pitfalls to avoid – please share them in the comments below.