Social Engineering in a Digital World

Cyber security is a growing concern for any business. At least it should be.

Most companies correctly invest a great deal in securing their IT systems. They inspect data on the perimeter of their networks, servers and workstations, filter websites that may contain malicious software, and institutionalize policies assuring proper password protection.

The list of measures taken to secure data goes on and on. Yet, cyber criminals are still able to access data. How can they get past these security measures so easily? How can all of these measures be defeated so easily by someone halfway across the world?

The short answer is that they don’t always try to defeat those measures. They simply go around them.

Today, the number-one way hackers access data is by employing a tactic known as spear phishing. Their scheme involves learning as much information about a company as possible, and then using that information to convince someone on the inside to provide the data they are looking for. In short, they use information to manipulate our trust. Obtaining the necessary information to make the appeal is not difficult. Most employees post their job title and the name of their company on LinkedIn or other social media. Many companies list their executive teams on their own website, and sometimes include a bio and even photos. It’s ripe for the picking – by the wrong people.

Here’s how it goes:

A hacker gathers publically available information on a company and employees, including information regarding the CEO, accountant, HR director or other key players that have access to company information. He then creates a Gmail account using the CEO’s name. The e-mail address is not as important because, with Outlook (used by most businesses), only the name is clearly displayed. The cyber-thug uses this new email account – named after your CEO – to request information from someone else inside the company – say, the HR manager or accountant. The request might be for a summary of employee W2s or a report of payroll direct deposits, etc. And since it came from the CEO, it isn’t usually questioned. So they reply immediately with the information. By the time they realize they’ve been duped, the information is long gone and the company is left addressing a data breach.

Is there an automated way to protect against this? Of course, but nothing is going to be 100% successful when dealing with cyber con artists. A solution called Data Loss Prevention (DLP) will inspect any data that exits a network, but the service is expensive, may be laborious to manage, and certainly can be defeated by employees.

The best way to prevent a spear-phishing attack is for companies to make sure it has policies and user education around protected information. Everyone on staff should know what constitutes protected information and should be trained to validate any request they receive through be an alternate method of communication. In other words, if the CEO makes a request via e-mail, the policy may state that the employee call the CEO and ask: “I understand you want the payroll direct deposit report?” did you request that?