What’s your company’s biggest security vulnerability? No, not machines without anti-malware protection (although that’s a good guess). No, not your Web servers, either.
It’s your people. Your employees. A full 64% of IT managers surveyed believe that users are the weakest point of entry to cybercriminals intent on compromising their internal systems.
This particular security danger has nothing to do with technology, and everything to do with human psychology. Yes, we now have a high-tech name for it—social engineering—but make no mistake, some of these techniques have been around for centuries.
What is social engineering and why is it dangerous?
It’s a definitively non-technical way that cybercriminals trick people into doing unsafe things online. Social engineering is generally practiced by using phishing, which is when you get a seemingly legitimate email from a company or individual that invites you to give away private or financial information, click on a malicious link, or download a file with malware embedded on it.
Of course, we’ve all been subject to obvious and often laughably clumsy phishing attempts—the misspelled emails coming from people with unpronounceable names promising us millions of dollars if we’d only do what they say—but I’m not talking about those.
I’m talking about the much more sophisticated spear phishing practiced by what are called “advanced persistent threat” (APT) cybercriminals. These aren’t one-off attempts to trick you, but carefully considered campaigns where hackers specifically target a particular company or individual using customized emails that make savvy use of details they’ve gotten through social media, public databases, or other means. The typical goal: To get you to give up your username and password to your business email or other critical applications. The cybercriminal then has legitimate credentials to log into your company’s systems, snoop around, exploit other vulnerabilities and ultimately steal data, money or both.
APT criminals are clever. They understand human nature. They’re also patient. According to the threat intelligence firm Mandiant, APT actors spend a median of 205 days inside victims’ networks.
Most of all, they’re successful. The best socially engineered phishing scams have a 45% success rate. That means that if an APT cybercriminal targets your company, it has a huge chance of success. It only takes one employee falling for a scam for the criminals to get inside.
All this might sound extremely scary. And you should be concerned. But don’t panic. I’ve put together a list of what to watch out for, and how you—and your employees—can avoid becoming victims.
5 Social Engineering Techniques to Watch Out For
The most successful emails do two things. First, they spin a plausible narrative, or story, that rings true to you. And secondly, they use familiarity with your world, and your personal details, to lull your suspicions. Remember, APT actors have done their homework: they’ve collected information about you—and your company—from Web searches, social media posts and your company website.
Here are five social engineering techniques that scammers use to try and penetrate your network:
- Create a sense of urgency: These are the emails that raise fears, and which demand action Most insidiously, these can come from very reputable-seeming brands—brands you interact with regularly—and look absolutely legitimate, complete with logos and authentic URLs. Motivated by anxiety, you bite.
a. We need to verify your login details for your account to remain valid.
b. Your account could be compromised, re-enter your username and password.
- Issue orders from an authority: This is an increasingly favorite tactic for targeting small businesses. You open an email that purportedly comes from your IT director, with the specific directives or orders from your HR director. Naturally, you comply.
a. Download this security patch for your PC (the attacker found the name through LinkedIn).
b. Reenter your social security number (which seems to come from your HR director, found
through your firm’s website).
- Offer a reward: Everyone likes getting things for free. So when one of your friends (remember, you are publicly linked to each other on Facebook) offers you something you can’t refuse, you take the bait.
a. Print out these tickets to that cool concert we were talking about (found through Facebook).
b. Click on this link for an incredible cruise deal to Italy (found by viewing your browsing history).
- Appeal for help: Even I’ve fallen for this one. A colleague is struggling with a project. Can you lend a hand by downloading this file and taking a look? You don’t think twice. Unfortunately, the file contains spyware that promptly steals your passwords to every application and website you visit.
- Arouse curiosity: You gotta see this. Cats! Political outrage. A major natural disaster. More cats! Of course we click, especially when the email comes from someone we trust.
How to Avoid These (and Other) Scams
- Be suspicious of any email that asks you for access credentials, or personal or financial information: If in doubt, pick up the phone and call the individual or company in question.
- Don’t click on embedded links that purport to go to sensitive business or financial sites: Instead, use your browser to type in the Web address yourself.
- Be wary of surprising requests from colleagues: If you’re not expecting a file, don’t download it. Instead, verify that the file is legit by calling the colleague in question.
- Be cautious about social or “viral” emails that invite you to click: Does the email really sound like it came from that particular friend? Does it have any relevant context in it that allows you to trust it? Keep in mind that curiosity killed the…you know what…and no number of cute kitty pictures can make up for causing your business to become infiltrated.
- Request employees to report any suspicious emails they get: If APT criminals are targeting your company, they’ll try again and again. Keep your people on high alert if you seem to be in the sights of an APT campaign.
As a business, your best move is to educate your employees—and to keep reminding them of the dangers out there.