Social Engineering takes on many forms including face to face, over the phone, in emails and through the mail. Some might refer to social engineering as scams or con-artists or think of famous movies like "Ocean's Eleven", but social engineering crimes happen every day in real life to companies everywhere. Think about how much information you could learn about someone as a result of reading their social media public profiles. Also, many employees are not trained to recognize the signs of social engineering.
Various Avenues of Social Engineering
To illustrate, at a social engineering competition, a participant is challenged to call a Wal-Mart store to try to gain details and private information. In the end, he acquires everything on his checklist after a brief phone call. He capture's the manager's interest by stating that he had information about government grant that the store could acquire and gain a large amount of money (The store is located in a small military town).
Next, he asks the manager about all of the store's physical logistics including vendors, break times, pay cycles and shift schedules. The social engineer hacker continues to make small talk about the new project and he gains information about the IT set up. In addition, the hacker directs the store manager to an external website to fill out a survey. If the store manager becomes trained about these types of potential attacks, he'll know to protect the company's information.
Another good example is when a company was hired to perform a social engineering exercise. The company hired mailed letters to the client's employees. The letter informed the employees that the company systems will upgrade in order to prevent social engineering. It also requested personal details to make the transition of systems go smoothly. As a result, twenty eight percent of the employees submitted the requested information and mailed the letter back.
TechGuard Gains Access
TechGuard Security has also performed similar exercises when hired to perform social engineering exercises. We sent an employee to a medical facility to try to gain access to private information. Our employee made it through the door posing as a vendor carrying a heavy box. Next, a well-intended employee helped him gain access inside. Once inside he posed as IT support and after making small talk and informing the employee of a quick update needed, he gained access to someone's computer. We were able to show the company how the employees are the greatest vulnerability to their security. To remediate, we recommended security awareness training.
Some Tips to Stay Secure
- Be aware that con-artists can spoof calls or emails, making it appear that the call or email is coming from a familiar contact.
- When introducing new, updated software ensure everyone understands it requires employees to create a new login, not to use old credentials to log in.
- Never let the "urgency" of a message cloud your judgment.
Social Engineering scams prey on people. TechGuard highly recommends enabling your human firewall.