Social engineering is a type of security attack that targets businesses through people. According to Nerds Support, 97% of people aren't even able to recognize when they're being targeted. That makes it essential for SME owners to ensure that their staff have full awareness, to protect themselves and the business.
Here's an introduction to social engineering, an overview of how a lack of awareness can affect SMEs, and 6 pitfalls to avoid.
What is social engineering?
Social engineering is a form of cyber and physical security attacks used to manipulate business personnel to gain access to confidential information or restricted areas. That includes customer data and general company intelligence. A basic example of social engineering is an employee being sent an email by someone posing as a trustworthy figure to request information. Attacks like that are well disguised, which means most people are not aware that they could be giving access and information to people with malicious intent. According to Nerds Support, 63% of data breaches come from internal sources, so a lack of staff awareness can greatly affect SMEs.
Why SMEs should care about social engineering
It’s an outdated assumption that SMEs are less attractive targets for social engineers, because they have smaller scope than large corporations. In fact, SMEs are becoming more attractive because the lack of social engineering awareness makes them easier to get to. Larger corporations integrate awareness into their training programs, which means awareness is far higher and there are controlling measures put in place. Technology advancements have also widened the scale at which SMEs operate, which means a lot of their business is now conducted online – including payments. That makes them the gate to sensitive online customer data, that social engineers can leverage for malicious purposes.
6 common social engineering techniques that affect SMEs:
In phishing attacks, SME owners or members of staff are sent emails that appear to be from a reputable source. In those emails, people are asked to provide confidential information, or to click on legitimate-looking links – for example, password reset links. Unaware recipients can easily fall for this and end up putting sensitive information into the wrong hands, or downloading malware onto their computer. That information can be used by social engineers to commit other attacks, and malware can be used to access and control computers.
Ransomware, a type of malware, is increasingly affecting SMEs through two variants – Dharma and Sodinokibi. After ransomware infects a computer, a social engineer will demand a ransom payment to disinfect the computer and go away. According to Coveware, those ransom payments can average up to over $36k, which is a lot of money for an SME to lose. That makes it critical for staff to be trained not to open emails, links or files from unfamiliar sources. Having a policy in place to enable employees to report such incidents is also a good idea.
Pretexting attacks are like phishing attacks, but more targeted. The social engineer impersonates an authoritative, known or trusted figure and creates a fabricated scenario. The social engineer tries to build trust to come across as genuine as possible, which can convince the recipient to provide information. Once the social engineer has their desired information, they can commit further acts of fraud. An example of this would be to act like a client that requires urgent information about their account. Again here, awareness and training among staff can be very effective in preventing such targeting, supported with company policies and protocols. One protocol could be to always verify requests for information with management, before hitting reply and giving sensitive information away.
Baiting attacks feed off people’s curiosity or greed. Social engineers may send an email with an attachment or free download/sample link, which places malware on recipients’ computers if opened. Social engineers who have gained access to premises could also leave USB drives visible on an employee’s desk to pique curiosity. When the employee plugs the USB drive to check its content, it places malware on their computers. Once the malware is installed on a computer, social engineers can use it to gain control and access information. Staff members should be alerted to signs of baiting, and never open any files or links without questioning where they’ve come from.
Tailgating is where social engineering becomes more palpable. It leverages people’s natural tendency to be courteous to others. A typical example of this is a social engineer walking close enough behind an employee to prompt him or her to hold the door to a restricted area open for the intruder. Politeness in this case can be costly. Once the social engineer gets past the door, they have gained access to potentially valuable assets or data. That makes it critical to train staff not to leave doors open for people behind them, unless they are a known colleague.
Shoulder surfing attacks involve social engineers physically watching over people in public spaces, where they could be doing some offsite work. For example, a social engineer may attempt to watch an employee logging into their company network on their laptop and try to capture their login details. Or the social engineer may try to view any confidential information the employee has up on their screen. The social engineer could then attempt to steal and access the laptop, or use confidential information as intelligence for further attacks or for resale. If working out of office, employees should use a laptop privacy screen filter to limit what others can see, and never leave their laptops unlocked.
Eavesdropping attacks take place under similar circumstances are similar to shoulder surfing, but social engineers listen as opposed to watch. An example of this is employees having an external lunch, or an offsite meeting in a public place. Social engineers are then presented with an opportunity to listen in on conversations, and potentially pick up confidential information. As with shoulder surfing, social engineers can use confidential information to their advantage for further attacks, such as pretexting or baiting. To prevent that, staff should be mindful of where they hold conversations and take business calls, and always do so in private areas.
6 pitfalls SMEs must avoid making
Simple human errors in judgement are what help social engineering social engineers to succeed in their attempts. If people are aware of tactics and think before they act, social engineering can be much less of a worry. There are 4 pitfalls SMEs must avoid to shut out phishing, pretexting, baiting, and tailgating threats:
- Opening and responding to emails from a sender you don’t know
- Being quick to send information just because the requester seems important
- Downloading files or clicking on links without verifying the sender
- Holding doors open for people who don’t seem familiar
- Leaving laptop screens and confidential information exposed in public
- Having confidential conversations in open public areas
Don't underestimate physical social engineering
Much of the talk and emphasis these days is on cyber security threats, but SMEs should not underestimate physical attacks. As with any security risk, physical and digital social engineering can no longer be addressed as two separate issues. Cyber attacks can be used to access data that enable physical access to premises or assets. Conversely, physical unauthorized access can be used to obtain information or IT network access, that then gives access to digital data. Much can be avoided by raising awareness and conducting regular training among staff. In addition, modern security technologies can help bolster training and company policies. This is particularly true of tailgating, a widespread technique that by its nature can take longer to spot.