You may have heard the term “social engineering” before. Social engineering refers to a form of attack tactic where an external party uses deception to mislead or manipulate an employee into revealing sensitive information, such as login details or account information. This creates security issues for their employers, especially in cases where passwords and other security sensitive data is divulged.
Social engineering attacks are a massive problem for both employee privacy and the business as a whole. It’s important to remember that the weakest link in your organization’s security is usually the people who work there, both the new hires and the veterans of the company. While companies are able to safeguard their customer information by investing significant resources into IT security and related technologies, their employees do not always take similar precautions with their own workstations and login details. Employers gather a great deal of personal data from their employees, and with this much data available for the gathering, many different approaches can lead to the same end result.
Employee privacy breaches can cause significant harm to a business (and to the employee’s own personal security) in ways that are both financial and reputational, leading to a loss of clients and future business. And if an employee’s personal data falls into malicious hands due to improper training or flawed technical infrastructure from the company, the employee is likely to leave disgruntled and pass this information along to friends and colleagues, causing further damage to the company’s reputation.
This is why it’s always a good idea for you to familiarize yourself with some of the most common social engineering tactics: by knowing what form the attacks take, you can better protect the privacy of your employees and, by extension, your customers.
Employee Privacy and Common-Sense Security
In this context, employee privacy relates to information about the people that work within the company. This can include a great deal of varied information: tax documents, medical records, direct deposit info, Internet banking and so on. Information gathering about employees starts before they even secure a position with a company: right from the job application, the security check and the onboarding phases, all the way to email correspondence and interview notes.
With all of this sensitive employee information stored, it’s important to make sure that everyone who has access to this data treats it as private and confidential. Employees must understand the internal procedures that need to be followed when handling this data, as it is very easy for an attacker to impersonate a manager or human resources staff member in order to phish for information about an individual.
Some social engineering attacks represent just the tip of the iceberg, and they are often a prelude to a more extensive system attack or account hack. Employees should always use extreme caution when dealing with external parties that ask for personal information over the phone, especially if they cannot verify their identity.
The same is true of emails from suspicious sources, or seemingly-legitimate emails that do not look trustworthy. A common way to spot such emails is to examine the spelling and grammar: the worse it is, the less likely it is that it’s come from a legitimate source. If logos or company symbols look strange or out of place, then use caution and don’t open any attachments that might be contained in the email. Never click on hyperlinks that are embedded in such emails.
And remember: if emails asking for personal data are coming from members of departments you’ve never met before, or someone asks for this data to be sent quickly or discreetly, it’s especially important to confirm the sender’s identity. If you can take five minutes to walk down the hall or pick up the phone to contact the supposed sender of the email, it can save you a great deal of trouble later
5 Common Threats to Employee Privacy
There are many social engineering threats that affect modern companies. While we are going to mention the most popular ones that have been carried out by cyber-criminals in recent years, it’s important to remember that there are also variations of these attacks, as well as combinations of these attacks that you should also be aware of.
Phishing is probably one of the most well-known social engineering techniques used by cybercriminals to breach employee privacy and is certainly one of the most effective. Phishing usually takes place when a third party sends communications from a seemingly-legitimate source — for example, imitating a manager, colleague or service provider. This attack is carried out via email, making the apparently-legitimate communications difficult to verify for untrained staff.
Because the email looks so convincing, users will often click on links or login prompts embedded within message, thinking that they are logging onto a legitimate website. These links redirect the user to a fraudulent website where their login details are harvested, usually by keylogging software or data scrapers.
This kind of social engineering uses deception and false identities to manipulate a target. We can see this often in online scams where an attacker calls the target and tells them that they need to verify some account information, which they are then able to use as part of their attack. The information that is divulged is normally of a privileged nature, making it easy for attackers to gain access to user accounts and logins.
Using this method, criminals may pose as senior members of staff, convincing employees to reveal information about certain individuals within the organization. If the person being tricked is far enough down in the company and hasn’t met this supervisor in person before, they might not think to walk down to the person’s office personally to check that this is a legitimate request.
Baiting is a method of tricking someone into creating a password for a phony new account in the hopes that they’ll reuse a password that can be then exploited elsewhere. Common forms of baiting include the promise of free gifts like movies, music or even product giveaways.
In a business context, bait might come in the form of a message seemingly from HR asking for sign-ups to the company picnic, or someone from a different department sending a fake birthday greetings e-card. Users will be prompted to sign up and create a username and password for themselves, often using the same password that they use for other, more sensitive accounts. Sometimes users will even use the same password for sensitive logins such as their primary business account, and if that same account has been used as the email address for their new logon, the attackers now have access to that email account.
A watering-hole attack is when an attacker manages to inject malicious code into a website that a known target is likely to visit, such as a business portal or homepage. The target is identified by other social engineering techniques ahead of time, allowing the attackers to decide whether the individual is worth their time to attack. When the target visits the website, backdoor code infects the target’s computer and allows the hackers remote access to the now-infected machine or device.
Voice phishing (vishing) is when an attacker uses a normal telephone, or advanced IVR software, to entice employees into repeating confidential information where it is then recorded. This varies from pretexting above in that it’s not just about the request for data, but a harvesting of the person’s voice to overcome voice-activated defense systems the employee may have access to.
A common technique that is used in conjunction with an IVR is prompting users for PIN numbers and passwords. Each entry that is tried over the phone will fail and return as an incorrect attempt, making the employee try several different personal passwords — all of which are harvested and saved. If the attacker is able to identify any other accounts that could be compromised, then they are able to use the stored password attempts to find a password or PIN that works.
Social Engineering Avoidance Tips and Recommendations
As we have seen, the nature of social engineering attacks is an organic and ever-evolving one. There are no set rules that can be followed to will insulate your organization completely, but there are some basic steps that can be taken to mitigate your exposure to the damaging effects of such an attack.
The easiest and most effective way to safeguard your organization its people is to provide training and awareness programs for your employees. An excellent example of this is InfoSec Institute’s Phishing Simulation and Anti-Phishing Training course. It includes phishing simulations, indicators and notifications to give you and your team a realistic representation of what a phishing campaign looks like, and how you can avoid falling victim to such a scheme.
5 Social Engineering Attacks to Watch Out For, The State of Security
5 Social Engineering Threats, Paragon
9 Best Defenses Against Social Engineering Attacks, eSecurity Planet