‘Social engineering’ sounds like a dark Orwellian term describing an awful future, but it’s going on this very second in someone’s home or office. Social engineering is a non-technical tactic used by hackers (and their automated bots) for tricking people into disclosing sensitive information or clicking on something that will infect their computer and their organization’s network.
Every Employee is A Target of Social Engineering
Why would anyone target your association? Why wouldn’t they? You have what these criminals want: sellable data. Your systems store personal and financial information of members, staff, customers, and donors.
A common social engineering tactic is phishing: people are tricked into downloading malware (malicious software) by opening a bad attachment or clicking on a bad link. Phishing was involved in more than two-thirds of the cyberespionage incidents reported in the last two years.
Your IT team has installed anti-virus, firewall, and other network protection software to prevent intrusion, but all this software can’t make up for the weakest link in the chain—humans.
Are you the weakest link? Here are 7 ways hackers trick smart people like you.
Email request from a “colleague”
Several associations have been victimized by this common phishing exploit. Someone on staff receives an email appearing to be from the CEO or another colleague. The sender requests a membership list, log-in credentials (theirs aren’t working for some reason), or even a wire transfer or bank account information.
In another version, instead of asking for something, the “colleague” asks the recipient to review an attached file or website. Behind most of these phishing attacks are automated computer programs (bots) that roam the internet, scraping up email addresses and names.
Surely, you wouldn’t fall for this, right? Don’t be so sure. You can test your phishing detection skills by taking this quiz from Dell SonicWALL security solutions.
How do you spot a phishy email?
- Look for spelling, syntax, and grammar errors.
- Hover over the sender email address. Check for typos that could fool your eyes. Is the address legit?
- Hover over URLs. Check for typos.
- Make sure nothing is attached to the end of a legit-looking domain name. For example, it’s okay if a sub-domain is attached to the front of a domain like http://info.microsoft.com, but not when it’s attached to the end of the domain as in http://microsoft.userservices.com. Here, the actual domain is userservices.com, not microsoft.com.
- Beware phony FedEx, DHL, and UPS tracking notices.
- Banks, cable providers, website hosts, lawyers, and other service providers are not going to send emails requesting account numbers, passwords, or other sensitive information. They won’t send official notices, for example, a summons to appear in court, in attachments without letting you know ahead of time. Don’t click on that link!
- An email from the FBI catches attention, but they’re not going to use email to make unusual requests. More likely, they’ll show up at your door.
Phony software updates
Be careful where you travel on the web. Don’t mistakenly click on advertisements. Occasionally, even the websites of well-known media properties have hosted advertisements (malvertising) and “related content” leading to compromised web pages.
Be especially careful of phony, free tool downloads or software updates. Don’t download anything without checking with your IT team first. They should be updating your software automatically. Don’t believe (and don’t click on) website messages saying your browser, Java, or Adobe is out of date. Don’t “click here to update to the latest version.” Close that site!
Service provider impersonation
Phishing happens in real life too, not only online. If someone calls to request account information, interrogate them. Better yet, call them back at a number you look up, not one they give you. For example, is “Comcast” really going to need your account information before they run a speed test? Wouldn’t they have that?
The friendly, familiar face
You know the people I’m talking about. You don’t know where they work in your building or what they do, but you see them frequently in the lobby, parking deck, elevator, with their logo uniform and badge lanyard. Then, one day they need to get in your server room to do an “inspection.” Don’t fall for that friendly face. Put on your serious face and ask some serious questions.
Friend of a friend
Some of your colleagues put their private lives on public display online. You assume they have their Facebook locked down, but they’re also posting everything to Instagram and Twitter too. You, and anyone else who might have an ulterior motive, knows he went to a ball game last weekend, and she got back from being a bridesmaid in a friend’s wedding.
Using that knowledge, the hacker pretends to be a friend who is bummed to have missed his buddy, so instead he requests your help—he needs to use the restroom or pick up a borrowed book from his buddy’s office. Once let in, this “friend” knows how to maximize the opportunity they’ve been given.
You get back to your desk to see a post-it note from “your boss” and a USB. The note asks you to save something on the drive for a future meeting. As you do that, an executable program on the drive (made possible by rewriting the firmware on the drive) infects your computer.
Another version of this hack exploits the propensity some people have to cheat, covet, or know too much: placing a USB labeled with “2016 salary data” or “exam key” in a well-traveled area in the hopes that someone will pick up the drive, plug it in, and check out the infected contents.
Shady IT guy/gal
I really hate this one because it makes people less trusting of good players they don’t know. Hackers get hired by small companies as outsourced IT contractors. Companies either don’t do their due diligence or are tricked into accepting phony references. Then the hackers get network access and passwords, and you can guess the rest.
So what’s your best protection?
Some of these last few examples are extreme and unlikely to happen in an office with good visitor policies. But the email and website phishing attacks are more common than you’d think. Take that quiz and share it with colleagues. Stay informed and vigilant—that’s the best protection against social engineering and phishing.
Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised.