Law Blog

You Run Your Business. We'll Protect It.

Don’t Become a Victim of Social Engineering

February 24, 2016

engineering

Perhaps you’ve never heard of it, or think it’s some type of new app for your phone, but social engineering is a real issue that companies face every day. It’s no longer okay for businesses to leave their network security to their tech team. Now, everyone must be involved from the intern to the CEO… otherwise it could cost your company dearly.

Social engineering is when an outsider wants to gain access to your private data and uses human interaction to trick people into giving up sensitive information. For example, one scam that’s been going around is sending the CFO an email from the President of the company, demanding that the CFO wire money immediately to a particular bank account. The email looks legitimate, as it appears to come from the President, uses his signature line and seems to be in his words. Without hesitation, the CFO transfers the money and the scam is complete. Unfortunately, once the money left the business bank account, it was likely unrecoverable. Although the CFO believed they received instructions from the President, in reality the email was spoofed by a hacker.

This is just one of dozens of examples of social engineering scams going around these days. The truth is that you and your business are likely at risk. Most people are familiar enough with the Nigerian Prince scam, or the Windows Server Department scam to see it coming from a mile away. However, these new social engineering scams are much trickier and have been on the rise in recent years.

There are too many attack vectors used by social engineering hackers to cover in one article, but the process is essentially the same: A hacker contacts an employee and uses charm, scare tactics or a sense of urgency to get the employee to let their guard down. The employee gives up sensitive information or unknowingly helps the hacker perform a task that would have otherwise been impossible. The result is usually the same… the employee has no idea that there’s a problem until someone discovers a breach and tracks it back to the employee. Unfortunately, the breach may not be found for hours, days or even weeks. By then, the hacker is long gone and anything they took went with them.

Training your employees to prepare for social engineering attacks is essential. For the CFO in our previous example, a simple call to the President could have made it clear that a scam was in progress. However, due to lack of training and awareness, the CFO acted too hastily. Similarly, your employees likely are unaware of potential social engineering attacks on your company. Therefore, it’s time to put a plan together and train your people regularly.

Stealing money from a bank account using a wire is an obvious attack vector that almost all of us could see happening. But here are a few types of social engineering attacks you may not have considered that could hurt your business in the long run:

1. A “sales person” sends an invoice to the office and contacts accounts payable, demanding that if the invoice isn’t paid immediately, the “big shipment the boss has been waiting for” will be cancelled.

2. An ex-employee, with intimate knowledge of the company network, wants to take revenge and steals the company’s domain name and gives it to a hacker-team in South America.

3. A recruiter has been trying to poach the best employees in a company and regularly calls the front desk to sweet-talk the receptionist into giving away vital information.

4. A delivery person shows up at the front door during lunch (when the boss is likely away) with a “package” and says he was promised he’d be paid on the spot.

The list goes on…

Keeping yourself and your employees apprised of potential attacks on your business is no longer just important… it’s required. Regularly training your employees and testing them on different attack vectors can go a long way toward keeping your company safe. See if you can trick one of your people into giving up information they shouldn’t. But don’t blame them when they do… blame yourself for not training them properly. Afterwards, make a new plan and get everyone involved on-board.

Do you have questions about social engineering or would like our help in setting up a plan? Give us a call and let’s discuss your concerns and work together to keep your company safe.

Join Our Mailing List

Ready to Get Started?

Let us know you're ready to speak with one of our attorneys.

Get Started