Social engineering is the process of manipulating human emotions to generate a reflex response. This reflex response usually causes someone to overlook obvious clues that they’re being scammed, which is how companies end up with data be held for ransom, viruses attacking their systems, or emails being spammed.
You’ve likely heard of at least one of these hacks:
- Social engineering leaks data from Department of Justice of 9000 Department of Homeland Security employees and 20,000 FBI employees
- Democratic National Convention email leak of 2016
- Target’s Point-of-Sales system breach leaks personal information of 70 million customers
So how does this happen to big companies with huge security protocols?
Social engineering works for a variety of reasons based on Dr. Robert Cialdini’s 6 factors of influence:
- It preys on people’s desire to inherently trust others
- It preys on a sense of urgency
- It preys on the desire to return a favor
- It leverages the power of authority to create compliance
- It uses personal information about those within the company (or the company itself) to make requests more convincing
- It preys on the desire to please others and be liked
To further their cause, social engineers often take advantage of breaking news, major events, pop culture happenings, or holidays to tap into the automatic response that generates their desired results.
How to spot social engineering:
Social engineers are studying your company and employees long before you even know they exist. They have the upper hand on you, especially if you’ve neglecting training your teams. There are a few tell-tale signs of a ploy that you can share with your employees now until you’ve completed training:
- Legitimate companies won’t request personal information via email
- Quick clicks to verify an account, password, etc. that come out of the blue
- Password update emails from accounts where you didn’t request a password reset
- “Are you in the office?” There’s an underlying sense of urgency placed in this sentence, and it’s something we hear a lot from people who’ve been targeted. If they’re looking for you, they can call or come to your desk
- Look for spelling errors. They’re often subtle, but they’re a potential red flag
- Tech support outreach. These people are swamped and busy. They’re not going to call you out of the blue. Remember, you can always hang up, find the helpline for the provider you use, call them, and verify if it’s a legitimate request. Is it annoying? Yeah, but better safe than subject to a hacker’s whim.
- Check the URL! We talked about this in our phishing email blogs (1, 2) but a simple 2-second hover can prevent a lot of trouble
How to combat social engineering:
Train your employees
The easiest way for any hacker to get into your business is through your people. No matter how smart your employees are, intelligence must be combined with cybersecurity savvy, and this happens through training. Hackers are cunningly subtle in their methods. Your team just needs to train their eyes to spot the tells.
Add extra controls
This is simple! Train your employees to verify in person or over the phone when unexpected requests for access or finances come through. Adding simple verification steps will prevent a lot of easily avoidable mistakes.
Trends in hacking shift almost as often as a new iPhone gets released. Training should happen on a regular schedule to ensure that the information taught is being practiced and retained.
Consult a Managed IT provider
This team should have a deep pool of resources that can provide guidance, training to your teams, testing to see where more training is needed, and a wealth of experience and expertise for how to thwart potential cyberattacks. Here are some crucial questions to ask when vetting potential providers.
Social engineering works because it preys on human emotions and people’s tendency to react before thinking. As with many other hacktics, the best way to prevent is to train your people. Check out our other resources that will help get your business squared up to fend off smart hackers:
- Check out how to spot phishing emails
- Learn how to arm your employees against phishing tactics
- Discover what items your team should address in its cybersecurity recovery plan
We want to know how your company prepares its teams for cybersecurity attacks. Chat with us on social!
Subscribe to our blog