Cybersecurity is a daily discussion in the media and in organizations across the country. How do we keep our data and systems safe in an era of increasingly sophisticated cyber hacks? While this is a critical discussion to have, it is also important to pay attention to the impact of the traditionally less sophisticated practice of social engineering.
Social engineering is the practice of gaining trust to gain access. Social engineering attacks can be as “simple” as impersonating the pizza guy to gain access to an office, then accessing files and systems using the passwords scribbled on the sticky note on your monitor. But, as with all attacks, those using social engineering techniques have gotten more sophisticated and we have made it easy for them.
Everyone has a digital trail between Facebook, Twitter, blogs, corporate bios, conference presentations. Anyone can gather your basic demographic information. Social engineers use this gleaned information to make you feel like they are contacting you with legitimate business. An example: an individual gets a call saying there is an issue with their computer. The caller says they are from Microsoft and rattles off info about the person’s account including address and phone number. They say they will send a link that must be clicked and with that, the computer will be cleared of the virus. Typically, only novice technology users (like the elderly or teens) will actually follow through and click the link, but the threat extends beyond them. Imagine your mother-in-law is staying with you, using the home computer. She falls for the scheme. Now that computer and every computer connected to your wi-fi (including your government issued machine) are now part of the attack.
These tactics are also climbing up the food chain from the novice users to company and government executives. Using data about the person easily found on the Internet, a bad actor can create a realistic scenario to use phishing techniques to get that person to visit a site or download a file. Legitimate corporate documents can be obtained by cyber thieves and altered ever so slightly then sent to organizations. One example of this tactic in the private sector (that could easily happen in the government) is where employees received a fraudulent email from their CEO following some internal reorganization. It contained a link for a climate survey. Clicking on the link exposed several employees to cyber-attacks. The mail was discussed in the senior staff meeting the next day and the CEO was surprised because he did not send personal emails to all of his employees.
While there are executive mandates and task forces set up to address security threats including supply chain security and insider threat, no such attention has been focused on social engineering threats. Social engineering requires the same consolidated and consistent effort to train both novice home users and educated professionals alike about the ways social engineering is used and the warning signs to look for. We also need research and investigation to develop profiles for people apt to use these techniques to aid in apprehending perpetrators.
Please share your thoughts and best practices around training your workforce to avoid social engineering schemes in the comments below.