Social engineering attacks are scams using psychological techniques to trick you or your employees into revealing private information.
Similar to the tricks and tools used in movies such as “Oceans 11” or the television show “Mr. Robot,” these efforts can be elaborate or simple and done remotely. The risk is real and unsuspecting companies are attacked all the time. Social engineering attacks try to give off the impression that they aren’t scams at all.
The end goal of the techniques used, which we will explore more below, is for the scammer or attacker to find out as much information as possible, then use it to hack you or your company, to gain funds or intellectual material. These tricks include getting someone to insert a fake USB meant to hack you, imitating a trusted person, trying to obtain protected information through email, or attempting to have targets download a file.
How to Prevent Social Engineering Attacks in the Workplace
Educate Your Employees
As your employees conduct their workday, many go online into their accounts, whether you realize it or not. Your employees will access search engines, email, text messages, or social media accounts. They will post photographs, work-life updates, and detailed information about your company or the people in it.
Whether your CEO is the one who spills the beans about their big trip out of the country, or an employee, alerting hackers about the times when security is lax (ex., “Everyone in the office has left for the week, except me.”), this can be a legitimate risk to any corporation or business.
Educate your employees on what details, if any, are okay to share publicly, and consider a non-disclosure agreement for anything highly private. Check the details that attackers already know about you through Social Catfish and discover which security to beef up!
When people find USB drives, they tend to plug them into their computer and thus expose their information or that of their company. This isn’t an unproven theory, tests have been done, and the reality is more than anecdotal.
Theoretically, a skilled hacker could get highly sought-after intel, if even one employee inserted a USB they were sent or found. You can read more about the University of Illinois report on this.
To prevent this, education is also essential. Do not insert any USB into your company computer if its origin is unknown, as it could install malware or lead to a hack or system crash. Make sure all tech software is up to date, to help catch and prevent phishing attacks.
If you have people that you correspond with frequently, add them to your address book. That way, if attackers message from a different email address (which has been altered to showcase the first and last name of someone you trust), you will be more likely to notice the change. Another source of social engineering attacks is emails that seem to be professional (ex., they reference that they’re sending employee database updates or marketing information) but contain downloadable malware or links to phishing sites.
If an email seems to be from a trusted coworker or business contact, but the instructions are suspicious, call the individual directly to inquire about the content of the message. Use the phone number on their website or on your phone, not in the email sent. Also, consider speaking to your technical department or superior.
Password and Entry Off-Limits
Do not give out your password, to anyone. One example of social engineering attacks is your website server calling to alert you of a hack and needing you to verify your company’s website password. The person on the other end of the line may sound professional.
They know what they’re doing and have a lot of practice. Don’t trust any request for a password and, if you have given a password for a system to the wrong person (even a former employee!), change your password and security questions immediately.
As new phishing, vishing, spear phishing, and whaling are daily forms of social engineering attacks, be diligent and read up on the subject often.
Search through Social Catfish to see what information about you or your company is discoverable online and what you can remove.