5 Social Engineering Threats to Employee Privacy
Introduction
You may have heard the term “social engineering” before. Social engineering refers to a form of attack tactic where an external party uses deception to mislead or manipulate an employee into revealing sensitive information, such as login details or account information. This creates security issues for their employers, especially in cases where passwords and other security sensitive data is divulged.
Social engineering attacks are a massive problem for both employee privacy and the business as a whole. It’s important to remember that the weakest link in your organization’s security is usually the people who work there, both the new hires and the veterans of the company. While companies are able to safeguard their customer information by investing significant resources into IT security and related technologies, their employees do not always take similar precautions with their own workstations and login details. Employers gather a great deal of personal data from their employees, and with this much data available for the gathering, many different approaches can lead to the same end result.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Employee privacy breaches can cause significant harm to a business (and to the employee’s own personal security) in ways that are both financial and reputational, leading to a loss of clients and future business. And if an employee’s personal data falls into malicious hands due to improper training or flawed technical infrastructure from the company, the employee is likely to leave disgruntled and pass this information along to friends and colleagues, causing further damage to the company’s reputation.
This is why it’s always a good idea for you to familiarize yourself with some of the most common social engineering tactics: by knowing what form the attacks take, you can better protect the privacy of your employees and, by extension, your customers.
Employee Privacy and Common-Sense Security
In this context, employee privacy relates to information about the people that work within the company. This can include a great deal of varied information: tax documents, medical records, direct deposit info, Internet banking and so on. Information gathering about employees starts before they even secure a position with a company: right from the job application, the security check and the onboarding phases, all the way to email correspondence and interview notes.
With all of this sensitive employee information stored, it’s important to make sure that everyone who has access to this data treats it as private and confidential. Employees must understand the internal procedures that need to be followed when handling this data, as it is very easy for an attacker to impersonate a manager or human resources staff member in order to phish for information about an individual.
Some social engineering attacks represent just the tip of the iceberg, and they are often a prelude to a more extensive system attack or account hack. Employees should always use extreme caution when dealing with external parties that ask for personal information over the phone, especially if they cannot verify their identity.
The same is true of emails from suspicious sources, or seemingly-legitimate emails that do not look trustworthy. A common way to spot such emails is to examine the spelling and grammar: the worse it is, the less likely it is that it’s come from a legitimate source. If logos or company symbols look strange or out of place, then use caution and don’t open any attachments that might be contained in the email. Never click on hyperlinks that are embedded in such emails.
And remember: if emails asking for personal data are coming from members of departments you’ve never met before, or someone asks for this data to be sent quickly or discreetly, it’s especially important to confirm the sender’s identity. If you can take five minutes to walk down the hall or pick up the phone to contact the supposed sender of the email, it can save you a great deal of trouble later
5 Common Threats to Employee Privacy
There are many social engineering threats that affect modern companies. While we are going to mention the most popular ones that have been carried out by cyber-criminals in recent years, it’s important to remember that there are also variations of these attacks, as well as combinations of these attacks that you should also be aware of.
Phishing
Phishing is probably one of the most well-known social engineering techniques used by cybercriminals to breach employee privacy and is certainly one of the most effective. Phishing usually takes place when a third party sends communications from a seemingly-legitimate source — for example, imitating a manager, colleague or service provider. This attack is carried out via email, making the apparently-legitimate communications difficult to verify for untrained staff.
Because the email looks so convincing, users will often click on links or login prompts embedded within message, thinking that they are logging onto a legitimate website. These links redirect the user to a fraudulent website where their login details are harvested, usually by keylogging software or data scrapers.
Pretexting
This kind of social engineering uses deception and false identities to manipulate a target. We can see this often in online scams where an attacker calls the target and tells them that they need to verify some account information, which they are then able to use as part of their attack. The information that is divulged is normally of a privileged nature, making it easy for attackers to gain access to user accounts and logins.
Using this method, criminals may pose as senior members of staff, convincing employees to reveal information about certain individuals within the organization. If the person being tricked is far enough down in the company and hasn’t met this supervisor in person before, they might not think to walk down to the person’s office personally to check that this is a legitimate request.
Baiting
Baiting is a method of tricking someone into creating a password for a phony new account in the hopes that they’ll reuse a password that can be then exploited elsewhere. Common forms of baiting include the promise of free gifts like movies, music or even product giveaways.
In a business context, bait might come in the form of a message seemingly from HR asking for sign-ups to the company picnic, or someone from a different department sending a fake birthday greetings e-card. Users will be prompted to sign up and create a username and password for themselves, often using the same password that they use for other, more sensitive accounts. Sometimes users will even use the same password for sensitive logins such as their primary business account, and if that same account has been used as the email address for their new logon, the attackers now have access to that email account.
Watering Hole
A watering-hole attack is when an attacker manages to inject malicious code into a website that a known target is likely to visit, such as a business portal or homepage. The target is identified by other social engineering techniques ahead of time, allowing the attackers to decide whether the individual is worth their time to attack. When the target visits the website, backdoor code infects the target’s computer and allows the hackers remote access to the now-infected machine or device.
Vishing
Voice phishing (vishing) is when an attacker uses a normal telephone, or advanced IVR software, to entice employees into repeating confidential information where it is then recorded. This varies from pretexting above in that it’s not just about the request for data, but a harvesting of the person’s voice to overcome voice-activated defense systems the employee may have access to.
A common technique that is used in conjunction with an IVR is prompting users for PIN numbers and passwords. Each entry that is tried over the phone will fail and return as an incorrect attempt, making the employee try several different personal passwords — all of which are harvested and saved. If the attacker is able to identify any other accounts that could be compromised, then they are able to use the stored password attempts to find a password or PIN that works.
Social Engineering Avoidance Tips and Recommendations
As we have seen, the nature of social engineering attacks is an organic and ever-evolving one. There are no set rules that can be followed to will insulate your organization completely, but there are some basic steps that can be taken to mitigate your exposure to the damaging effects of such an attack.
The easiest and most effective way to safeguard your organization its people is to provide training and awareness programs for your employees. An excellent example of this is InfoSec Institute’s Phishing Simulation and Anti-Phishing Training course. It includes phishing simulations, indicators and notifications to give you and your team a realistic representation of what a phishing campaign looks like, and how you can avoid falling victim to such a scheme.
Sources
Five social engineering scams employees still fall for, CSO Online
5 Social Engineering Attacks to Watch Out For, The State of Security
5 Social Engineering Threats, Paragon
9 Best Defenses Against Social Engineering Attacks, eSecurity Planet
See Infosec IQ in action
17 percent of employees fall for social engineering attacks, betanews
In this Series
- 5 Social Engineering Threats to Employee Privacy
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness