Here are just a few examples of how social engineers work:
Email: Pretending to be a co-worker or customer who ‘just quickly’ needs a certain piece of information. It could be a shipping address, login, contact or personal detail that they pretend they already know, but simply don’t have in front of them. The email may even tell you where to get the data from. The hacker may also create a sense of urgency or indicate fear that they’ll get in trouble without this information. Your employee is naturally inclined to help and quickly sends a reply.
Phone: Posing as IT support, government official or customer, the hacker quickly manipulates your employee into changing a password or giving out information. These attacks are harder to identify and the hacker can be very persuasive, even using background sound effects like a crying baby or call-center noise to trigger empathy or trust.
In person: A delivery man uniform gets past most people without question, as does a repairman. The social engineer can quickly then move into sensitive areas of your business. Once inside, they essentially become invisible, free to install network listening devices, read a Post-it note with a password on it, or tamper with your business in other ways.
It’s impossible to predict when and where (or how) a social engineer will strike. The above attacks aren’t particularly sophisticated, but they are extremely effective. Your staff have been trained to be helpful, but this can also be a weakness.
So what can you do to protect your business?
Recognize that not all of your employees have the same level of interaction with people, the front desk clerk taking calls all day would be at higher risk than the factory worker, for example. We recommend cyber-security training for each level of risk identified, focusing on responding to the types of scenarios they might find themselves in. Social engineering is too dangerous to take lightly, and far too common for comfort.