Social engineering, the act of psychologically manipulating a person to divulge confidential information or to carry out actions is becoming more common place.
Recently Indian police raided call centres and made arrests in which a large scale scam took place where the employees impersonated US Internal Revenue Service and other federal officials, demanding payments for non-existent debts.
The scam which reportedly took money from at least 15,000 people and generated more than $300 million is one of the largest recent social engineering scams and was supposedly run by 24 year old, Sagar Thakkar, also known as Shaggy!
Though this particular scam was relatively simple in its operation and largely relied on a strategy of tele-phishing, the reality is that social engineering is not just becoming more common place against businesses of all sizes but they are becoming more sophisticated.
Therefore, it is essential that you keep your business safe by raising awareness among your employees so that they are mindful of the different types of social engineering and how to avoid them. Below are the main types of social engineering and steps to avoid being the next victim.
Types of social engineering
Baiting: Baiting is where a criminal places a physical device such as a USB flash drive in a place where it will be found by an employee of a business. The plan is that the employee will find the device and use it on their computer which then installs attack malware without the employee knowing.
Phishing: This is where an email is sent and purporting to be from a different sender, often from a well-known brand or authority that is trusted. The goal of the perpetrator carrying out the phishing is to trick the recipient into clicking a link that installs malware or sharing financial information. It can also be carried out by phoning as we previously mentioned in this article.
Spear phishing: Not unlike phishing, spear phishing is a more tailored approach where the perpetrator targets a specific individual or business.
Pretexting: Pretexting is where the attacker lies to the target in order to gain access to valuable data, for example if the scammer pretends that they require financial data in order to confirm the identity of the individual.
Scareware: This is where the victim is led to believe that their computer or device is infected with malware or has downloaded illegal content. The victim is then offered a solution, which is often the installation of real malware.
Steps your business can take:
- Define Acceptable Usage Policies – make sure all employees have a good understanding of them. These policies help to protect your business. For example, by prohibiting the use of unauthorised, unapproved technologies and devices such as USB drives or mobile devices; by establishing good practices and behaviours for the use of the Internet, email, social media etc.
- Educate your employees – at all levels of the company – as to how they could fall victim to a social engineering attack. For example, warn senior executives to be wary of targeted spear phishing; raise awareness amongst procurement and finance staff of the risk of Business Email Compromise Scams. Make sure all staff know to be wary of clicking on links in emails, and to verify the identity of anyone seeking information about the company or other people in the company. Is the email or the call truly from the person it claims to be? Unsolicited contact from individuals seeking internal organisational data or personal information should be met with suspicion. As should website URLs that use a variation of a spelling or even a different domain for example .net instead of .com.
- Limit your exposure – All companies want to engage their customers to promote their business; however, it is important to be wary of the information shared on social media. Both your business social media use and your employees in their personal social networking may be giving away useful information that can significantly help a social engineer to target your business.
If you think your business is a victim of social engineering:
- Immediately report the incident to your local authority.
- Contact your financial institution and ensure to monitor your account for any suspicion activity.
- Change all passwords.
If you are a merchant that requires technical or PCI DSS help, please click here