Social engineering is a method used to get confidential
information through manipulation. It is usually done in order to commit fraud,
gain access to a computer and is generally fueled by the incentive for money.
Social engineers will meticulously research their target so
they know exactly what to say in order to deceive you. If the target is a large
company, they will pretend to be an employee and try to deceive a “co-worker”
into allowing them access to files or into a company computer.
Social engineering occurs for a variety of reasons- it could
be directed at a specific company or person, it could be a random attack or it
could even be part of a game. Whatever it is, you do not want it to put you and
your customer’s information at risk.
The reason why social engineering is successful is because
the engineer uses techniques that will make you trust them. They make up elaborate
stories or personas that you would have no reason to not believe. Then, through
what seems like polite conversation, they will have you relinquish sensitive
information that can put you or your company at risk of identity theft or a
data breach.
The following is a
transcription of a part of the conversation between me and who I believe to be
a (beginner) social engineer:
Earlier this week, I got a call from a man claiming to be
from “Social Alliance Vancouver” telling me my business has won the “Best New Business
in Vancouver” award. He continued on saying that my business would be featured
on Facebook, Twitter and Google which would bring me a lot of business.
I told him that we were quite capable of posting Tweets on
our own, but thank you kindly.
Alas, he continued, “what type of services does your
business provide mam?”
I respond, “well, seeing as how you awarded my organization
the prestigious award of ‘Best New Business’, don’t you already know?”
“Yes, of course! You install security alarm systems.”
“Affirmative. We are the Canadian Identity Theft (and
security alarm system) Support Centre. Sounds about right. Now tell me about
yourself, sir… are you in need of a new alarm system?”
He then hung up on me.
This example clearly shows an inexperienced social engineer,
who with a little bit of questioning was turned off track. Most of the time,
these people will give up as soon as you present any resistance because it
really is not worth their time to follow through. However, if it is a targeted attack
on your business, the engineer will most likely be a lot more deceptive,
charming and ready to tell you anything to get you to relinquish the
information he or she wants.
What information do
social engineers want?
Social engineers want as much information they can get about
your business, and the more you give them, the more they will ask for.
They usually begin with friendly chatting, keeping up a
light conversation to put you (or your employees) at ease. They will then ask
questions such as, “can you verify your address, I see you are located on
Broadway in Vancouver?” At which time, your trusting employee will correct the
misinformation and ultimately divulge the correct address.
Eventually, they will steer the conversation towards getting
information. They may direct you to a website and get you to download a (most
likely malicious) file, or ask you directly what they want to know.
The information they may want could include: computer
passwords, full names of employees, SIN numbers, salaries or anything related
to wages, account numbers , among many of pieces of sensitive information.
Preventing Social
Engineering from putting your business at risk
If you are concerned about social engineers defrauding your
business, consider the following advice:
- Train all staff members (especially those answering emails and phones) on what social engineering is, what people may ask and how to tell if a social engineer is on the other line.
- Determine what information is okay to be released to the public, ie: will you be publishing your address, name of employees and salary information?
- Create an action plan for dealing with data breaches. Sometimes these breaches are difficult to prevent, so it is better to be prepared just in case.
- Inform employees on the distinction between being helpful and overly helpful. The main way social engineers are successful is to prey on someone’s trusting nature.
If you would like assistance training your employees on how
to avoid data breaches through social engineering, contact CITSC to sign up for
an informational seminar.