Social Engineering? Not on my watch

Social engineering is a method used to get confidential information through manipulation. It is usually done in order to commit fraud, gain access to a computer and is generally fueled by the incentive for money. 

Social engineers will meticulously research their target so they know exactly what to say in order to deceive you. If the target is a large company, they will pretend to be an employee and try to deceive a “co-worker” into allowing them access to files or into a company computer. 

Social engineering occurs for a variety of reasons- it could be directed at a specific company or person, it could be a random attack or it could even be part of a game. Whatever it is, you do not want it to put you and your customer’s information at risk. 

The reason why social engineering is successful is because the engineer uses techniques that will make you trust them. They make up elaborate stories or personas that you would have no reason to not believe. Then, through what seems like polite conversation, they will have you relinquish sensitive information that can put you or your company at risk of identity theft or a data breach. 

The following is a transcription of a part of the conversation between me and who I believe to be a (beginner) social engineer:

Earlier this week, I got a call from a man claiming to be from “Social Alliance Vancouver” telling me my business has won the “Best New Business in Vancouver” award. He continued on saying that my business would be featured on Facebook, Twitter and Google which would bring me a lot of business.

I told him that we were quite capable of posting Tweets on our own, but thank you kindly.

Alas, he continued, “what type of services does your business provide mam?”

I respond, “well, seeing as how you awarded my organization the prestigious award of ‘Best New Business’, don’t you already know?”

“Yes, of course! You install security alarm systems.”

“Affirmative. We are the Canadian Identity Theft (and security alarm system) Support Centre. Sounds about right. Now tell me about yourself, sir… are you in need of a new alarm system?”

He then hung up on me.

This example clearly shows an inexperienced social engineer, who with a little bit of questioning was turned off track. Most of the time, these people will give up as soon as you present any resistance because it really is not worth their time to follow through. However, if it is a targeted attack on your business, the engineer will most likely be a lot more deceptive, charming and ready to tell you anything to get you to relinquish the information he or she wants.

What information do social engineers want?

Social engineers want as much information they can get about your business, and the more you give them, the more they will ask for.

They usually begin with friendly chatting, keeping up a light conversation to put you (or your employees) at ease. They will then ask questions such as, “can you verify your address, I see you are located on Broadway in Vancouver?” At which time, your trusting employee will correct the misinformation and ultimately divulge the correct address.

Eventually, they will steer the conversation towards getting information. They may direct you to a website and get you to download a (most likely malicious) file, or ask you directly what they want to know.

The information they may want could include: computer passwords, full names of employees, SIN numbers, salaries or anything related to wages, account numbers , among many of pieces of sensitive information.

Preventing Social Engineering from putting your business at risk

If you are concerned about social engineers defrauding your business, consider the following advice:

• Train all staff members (especially those answering emails and phones) on what social engineering is, what people may ask and how to tell if a social engineer is on the other line.

• Determine what information is okay to be released to the public, ie: will you be publishing your address, name of employees and salary information?

• Create an action plan for dealing with data breaches. Sometimes these breaches are difficult to prevent, so it is better to be prepared just in case.

• Inform employees on the distinction between being helpful and overly helpful. The main way social engineers are successful is to prey on someone’s trusting nature.

If you would like assistance training your employees on how to avoid data breaches through social engineering, contact CITSC to sign up for an informational seminar.