Perhaps something like this has happened to you: you’re on your computer, checking your email, and see a message from someone purportedly acting on behalf of a fabulously wealthy distant relation. This relative has unfortunately perished and left you an inheritance that is ready to be deposited. You only need to send a small sum of money to establish a wire transaction history. This is social engineering – a form of cyber-security hacking that leverages the weakest point of any security system: the End User. We’ll show you what to look for, why it is done, and how to combat the threats.
How and Why Does Social Engineering Work?
Hackers use social engineering to appeal to an element of human psychology (curiosity, incentive, fear of getting into trouble, etc.) to gain access to personal or business information. And sometimes, even intelligent people can be desperate, trusting, or naïve. After all, why would anyone invent such a sham?
For money, of course. The hypothetical scenario just described is only one of many potential pitfalls into which unwitting, gullible folk are tangled. A more sinister scheme involves some unknown party claiming to be the legal representative of a company, demanding restitution for monies owed. For what? Sometimes, it’s credit card debt, medical debt, or just because you happened to be awake on a day ending in “Y.”
Social Engineering in the Workplace: Know the Games
Sometimes, the menace and exaggerated negative consequences of social engineering are omitted entirely. If you run a moderately sized business, you may have a payroll or accounts payable department. Someone might write to them pretending to be one of your staffers, offering a generic request to amend direct deposits on paychecks. If your staff is not careful (and well-versed in how social engineers operate), someone might go without a paycheck and not know until the cash they needed to pay rent never materializes. Or, they could send an invoice from a company that does not exist for services that were never rendered. It’s presented in a credible-looking document with a qualification that “We got the wrong address to send this invoice to. Please promptly pay.”
Savvy social engineers don’t invent their own schemes – they commodify legitimate businesses for an illegitimate purpose. An example of this is someone calls saying that they are representatives of Adobe, wishing to disburse prize money to a few lucky recipients. (As it happens, Adobe really does solicit feedback and offer gift cards to digital storefronts as compensation.) By the time you’re done with your call to Adobe reps, you have inadvertently purchased Amazon gift cards and surrendered the codes to the scammers.
Why Spam Emails Appear Legitimate
To untrained folk, spam emails consistently look like actual correspondence because they are designed to. This can be accomplished in many ways, and email is only one vector for attack! Other times, sophisticated cyber criminals will use unprotected accounts with easily guessable passwords and pass themselves off as someone they aren’t. (It makes sense: why bother inventing an entirely new persona for yourself when you could just hijack Dave from Accounting’s personal profile because Dave used an easy-to-guess password?)
Case in point: In 2022, Uber was compromised. A young man working with the hacker collective Lapsus$ used harvested credentials from an Uber employee to access their Slack channel and determined a network share with PowerShell scripts that included plain-text, unencrypted passwords. That information was used to compromise the entire operation. Uber is a company worth millions of dollars, and all it took to take it down (at least temporarily) was an employee with crummy passwords, bad data security practices, and an enterprising young person with a little wit and a lot of determination.
Fortunately for Uber, this hacker did not actually want to do any damage – he simply wished to expose that they had a problem to force them to fix it. Not that Uber has been immune from actual malice. In 2016, they paid a ransom of $100,000 to buy the silence of hackers who compromised their systems and had very bad intentions.
Are you as big as Uber? Probably not. But that means you have even less chance to pay off a hacker’s ransom.
How to Recognize Malicious Emails
Fortunately, malevolent social engineers are big on guile and little on talent and tend not to waste their time on anyone who fights back. We recommend you protect yourself similarly to how you beat diseases: inoculate yourself against the pathogen and urge others to do the same.
Organizations can’t afford to lose their data or the wealth that data commands. Fortunately, in business, this is fairly easy, but it requires training your staff in the art of detecting nonsense.
Proactive Threat Engagement: Red Teaming
With proper training, users can be coached into recognizing threats for what they really are and taking appropriate measures to mitigate the threat. What is the best way to do that? Practice with simulated attacks.
There are a few terms for it, but “red teaming” is when a paid team of people acts as the hostile party, engaging in the exact behavior that keeps serious-minded security staff awake at night. In simulated attacks, you learn which staff members know to ignore obvious nonsense and which require a little coaching to identify social engineers better.
Help Protect Your Business from Social Engineering
At IT Acceleration, we can help you build a comprehensive strategy to mitigate social engineering in your business. This involves monitoring email traffic to you and your staff, identifying social engineering and phishing attempts, and preventing them. We’ll help train your staff to identify these attacks. We have implemented multiple systems that use heuristics to identify, intercept, and prevent the distribution of bad-faith actors attempting to extort you and your business. We can help you learn where the attacks are coming from and stop them. Ultimately, this helps to ensure the integrity of your network, your income, and your workplace.
Do you have questions or need expert advice? IT Acceleration is a trusted partner in all areas of cybersecurity for businesses in the Philadelphia area and beyond. Contact us today to schedule a call.