Have you ever encountered someone that you have never met, but they treat you as if they were your best friend? You know, the kind of encounter that makes you think to yourself, “Should I remember this person from somewhere?” Have you ever found a complete stranger striking up a conversation with you on a topic that you are extremely interested in? Have you ever found a media device such as a USB stick or CD laying in plain sight?
If you answered ‘yes’ to any of these very basic scenarios above, you may have already been a target of a social engineering attack. Now, I’m not saying that genuine nice and talkative people don’t exist anymore, because they do. I’m not saying that people who don’t know each other can’t have similar interests, because they can. I’m also not saying people don’t accidentally drop or leave behind removable media because it happens all the time. However, these scenarios are tried and proven methods for social engineering attacks. Social engineering attacks can be executed multiple different ways in both face to face and/or electronic means.
Social engineering is the art of manipulating people so that they will give up confidential information, either with or without consent. Simple social engineering attacks might consist of people appealing to other people’s interests based off of items on their desk or pictures hanging on their wall. More sophisticated attackers can take it a step further and do some research prior to getting in front of their mark. Perhaps they go online and can view the user’s Facebook or Twitter account and gain more information such as friends’ names, pet names, and other interests. As the attacker gains more and more information on you, their chances of success increases.
Look at this face-to-face, extremely simplistic social engineering attack as an example.
In 2007, a man walked into ABN Amro Bank in Belgium during business hours and walked out with an estimated 27.9 million in diamonds that didn’t belong to him. How did he do it? He did it using social engineering. He charmed bank employees using chocolates and his personality, made a copy of the master key and helped himself to other people’s diamonds.
There are some steps that each user can take to protect both themselves and the company:
- Confirm your social media security settings and remove “friends” you don’t know.
- Never plug anything into a computer if you can’t verify where the source came from.
- Be cautious of items that are sitting on your desk if you commonly interact with the public.
- Attend security awareness training at least annually to be kept aware of the latest security threats.
Employees are the last line of defense in an organization. Firewalls, web filters, spam filters, and door access control units are all filters and like any filter, things will get through. When they do, your users need to be ready. Give us a call today to learn how we can help prevent you and your employees from being a target, 800-610-1858 or email us at email@example.com.