Social Engineering

Social engineering, also known as human hacking, takes on several forms. Some as basic as a phone call with the caller pretending to be someone they are not, others as sophisticated as outlaws getting a job with a cleaning crew or telephone company for physical access to an environment. Corporate leadership must understand the risks of social engineering and take steps to protect their organizations.

One of the greatest “hackers” of all time, Kevin Mitnick, would pretend to be someone he wasn’t to gain trust, and later access, to company systems. He was so thorough in his actions he once joined a cleaning crew so he had physical access to environments where he easily penetrated their systems and stole valuable information. Social Engineering grows more and more sophisticated and much of it comes from what Kevin Mitnick started decades ago.

Ever notice how almost no one locks their computer when they walk away? I’ve seen lawyers, human resources employees, and even the controller of an organization leave for long periods of time without locking their computers. How much critical, private, and personal information do these employees have access to? How difficult is it for a disgruntled employee to walk into one of these offices, close the door, and have at the information these key staffers have access to? How hard would it be to get on their managers computer, or an HR system during a company event, or lunch break? Once on the system they could send payroll an email pretending to be a person of authority, and ask for additional funds to get transferred as a “bonus” or “expense reimbursement?” Does your organization think in these terms? If not, it should.

One company I worked at had a situation where an outside party registered a similar Internet domain name to ours. They then created email accounts using the CEO and CFO names. The criminals sent an email to the controller pretending to be the CEO asking the CFO to wire money to an account. The controller began the process to send the money. Internal checks and balances caught this employee’s error and prevented the funds transfer. The controller made an egregious error, fortunately process saved the day. Does your company have this protection? Does the leadership of your business have the awareness to protect corporate funds from attacks such as this?

Most people are aware of phony email when it comes from a trusted source. For example, when a friend or co-worker sends the ubiquitous message “Hey check out this cool website I found… ” we all know this is bogus and we stay away. It’s important for business to reach this level of awareness for the more sophisticated human hacking attempts mentioned above as well as dozens of others. Leadership has an obligation to protect company information. The way around the vast majority of attacks is simply awareness. Processes and procedures must exist that protect against human error.

Humans are easier to hack than computer systems and networks. Most people are raised to be kind and helpful leading them to inherently trust others. The concept of bad people taking advantage of the good and honest does not sit well with most people. Unfortunately, evil exists and we all must have awareness and behave in a fashion that balances our desire to help others while protecting that which we are responsible for. “Protecting the organization from being victimized by hackers using social engineering tactics has to be the responsibility of each and every employee – every employee.”