Tips for Employees and Employers on How to Handle Social Engineering Attacks
The common aim of all social engineering plots is gaining trust. That is why the social engineer is often extremely persuasive, friendly, obliging and always ready to help. After all, people are weak when it comes to answering someone asking for permission politely.
Should the social engineer not work for the company, imagine the following scenario: at the entrance into the company building there’s a man carrying some packages that seem heavy. You immediately assume that person is a delivery man. He asks you to open the door for him, since he cannot reach for his pocket and get his keycard. You sympathize and immediately let him into the building. Since you don’t suspect anything, you will most likely not watch him or follow him around and you will probably forget about him as soon as he is out of sight. Once in the building, the intruder can head to a conference room, reach for his laptop carefully camouflaged in one of the packages, connect to the network behind the corporate firewall and pull out data. In a few minutes, he’s out and loaded with critical information.
Should the social engineer work for the company, imagine thisscenario: A customer-service company. A person (say John), pretending to work as a billing clerk, calls “colleague” (victim) from customer-service department saying that he has a very important customer (say Mary) on hold. The customer, Mary, is asking for some data in her file and John cannot provide it, because his computer has just crashed and he is therefore unable to help her. Now, John asks his colleague (the victim) if he could help him, by any chance. The colleague feels sorry and most probably will “help” the “peer in need” providing confidential data to a social engineer.
Tips for the Savvy Employer on What to Do to Ensure Staff Don’t Get Fooled
- The employer should make sure all the employees are trained, at least once a few months, by a consultant specialized in security with respect to data breaches and new social engineering approaches.
- The savvy employers should provide employees access to critical data only on a need-to-know basis; plus they should encourage fragmentation of information.
- Social networking and instant messaging services could be monitored as confidential data could be easily leaked through personal profiles and blogs both intentionally and unintentionally. Product launch dates, products screenshots or branding elements such as logos and boxes are some of the classified types of information that goes public ahead of time.
- Access in the company building should be limited and under the direct supervision of qualified security staff. Imagine this: someone (working for the competition) enters the building, under the pretext that she or he is waiting for someone; but in the meantime, he or she is handing out business cards advertising, in fact, for the competitor.
- Employees should not reveal confidential information over the phone. There are many social engineers who call pretending to be working for a certain company. Moreover they are likely to use a specific lingo familiar to the person receiving the call as they know the company structure and its weak links.
- In big companies, where it is impossible to know everyone, a call coming from a person pretending to be from a certain department can be enough to deceive someone. It is better to check the number before giving sensitive information away. Better still you might even offer to call back. It is known that with colleague-callers rules apply differently and that is why helping a fellow employee with the information he or she needs, can also lead to getting the dirty job done.
- Many times, social engineers will use “emotional” stories to appeal the victim’s empathy and inclination to believe in the good faith of his peers. Social engineers may very well take extensive periods of time to know the victims to be in order to study their habits and then serve them exactly the kind of thing that the victims are most likely to fall for: offers of friendship, love, shared interests, lifestyle, and pastime routines. This will create an atmosphere of confidence and the sensitive data will surface.
Tips for the Employee on What to Do to Prevent Falling for Social Engineering Trickery
- Employees should not share matters related to work, such as campaigns, products, services, complaints, customers with people they do not know or trust. When they need to disclose such information, they should always use the official means of communications between offices (business phone numbers, faxes and e-mail addresses) or discuss it face to face via video-conferencing.
- Employees should not grant access into the building to people who do not work for the company. If outsiders need to enter the office (i.e. for interviews or other business-related purposes), they need to be permanently escorted by an employee.
- Should someone receive a phone call from a person they don’t know, who claims to be from another department / office and asks for potentially sensitive data, the best thing would be to tell the caller that they would be phoned back. The employee should call the front desk number and ask to be put through with the person who has called. This way they check if the person really works there and furthermore if he/she is in the building.
- Employees should be extremely careful when and to whom they need to hand the removable devices, laptops or files that contain confidential data.
- Employees should check twice or thrice, if possible, when it comes to e-mails that come from people asking for confidential data. Double-checking via a phone would also be a good thing as the social engineer can create a site that resembles a legit one in order to launch a phishing attack designed to trick you into willingly providing sensitive data that otherwise you would be against giving away.
- Employees should never perform computer maintenance tasks such as installing patches, hardware (i.e. modems), disabling AV solutions or opening ports as per phone requests. They should always check this kind of requests with the IT department via phone or even better in person.
All in all, trust can be not only the catalyst of a successful business and of a productive work environment but also the deceiving tool of an intruder who wants to easily get access to critical data and destroy a business. Therefore, it is advisable to handle sensitive data with extreme caution at all times.
And never forget, trust is to be earned.