By Sue Ostroswki
Your business may employ every high-tech security measure available, but the human factor can still leave your company vulnerable to becoming a victim of fraud through social engineering.
“Social engineering is a term for someone getting you to do something you wouldn’t normally do by exploiting psychology,” says Don Boian, cybersecurity outreach director at Huntington. “It is the act of manipulating, influencing, or deceiving someone in order to gain access to information. And if you don’t have good human security processes, it doesn’t matter what software you have.”
Examples of social engineering include posing as a trusted source in emails or phone calls to get access to information, or something as simple as getting someone to hold the door to gain physical entry into a secure area.
“You need to understand what social engineering is, that it exists, and that you potentially have a problem,” he says. “It really starts with someone getting just a little bit of information from someone within your company who wants to be helpful.”
Resisting inherent helpfulness
You may encourage a culture of service and kindness, but a healthy dose of skepticism may help protect your business. Because most employees want to help suppliers and customers, employers need to train them to be suspicious, and always confirm who they are talking to.
“Remind employees to verify that a request is coming from an internal source before releasing information,” says Boian.
And do the same with emails. For example, someone could pose as an internal source by creating an email address that replaces an “i” in a company’s name with the number one. If you’re not looking carefully, you may release private information that someone can use to gain access to your company’s data.
“Delete suspicious emails, and don’t click on suspicious sources,” says Boian. “Don’t download software, and don’t browse untrusted sites. Never share personal information, and make sure your software is up to date.”
He also recommends flagging emails that come from an external source, and stresses that employees should be extra cautious about them.
“You really need to have procedures in place,” says Boian. “If someone asks for personal information, what are your processes and protocols to verify they are who they say they are, especially if they claim to be a customer? Say you’ll call them back at the number you have on file. It’s critical to know who you’re talking to.”
Guarding staffing information
Beyond basic leadership profiles, Boian says it’s not a good idea to post staff information on the Internet.
“If you put information out there about your people in accounts receivable or finance, that gives a scammer an access point to start making the rounds,” says Boian. “It used to be that the bad guys just reached out blindly, but now they are doing their homework, and finding targets of opportunity. They are much more thorough and understand who they are attacking.”
He says fraudsters will use open-source information to gain knowledge about a company, its leadership, and how it operates.
“They gain a little bit of knowledge and use it to get more, so you don’t want that information out there,” he says.
Efforts to gain access to information have increased† during the COVID-19 pandemic.
“When we are stressed out, we are more emotional and make decisions more quickly,” says Boian. “In fight or flight mode, we don’t engage a logical thought process, and that is much more likely now. Bad guys know that, and they’re taking advantage of it.”
“A lot of healthcare systems recently have been held hostage for ransom,” says Boian. “The hospital thinks, ‘We’re in the middle of a crisis, I’m not even thinking through the options, I’m just going to pay.’”
However, doing so leaves your business vulnerable to the next attack.
“Paying will make them go away for a while, but they exploited some weakness to get you to the point where you have to pay,” says Boian. “If you don’t identify and fix that weakness, you’re still vulnerable to another attack—and you’ve already proven you will pay. You still have weaknesses you need to resolve. It’s not as simple as you pay, they give you your data back, and you move on.”
He says nearly every business today is reliant on technology, making every company a potential target.
“For example, healthcare records are all electronic, and if the system goes down, your doctor can still talk to you, but he has no access to records,” Boian says.
He says today’s systems still leave too much to humans, and it’s going to take the whole nation to turn that around, whether through education, standards, and/or enforcement.
“We will always have bad guys who can figure out the weakest link,” he says. “And if they can’t figure out a way to get information through technology, they use human weaknesses. There are many scams targeting people, and at the root of them is social engineering.”
For more information on social engineering, and how to avoid it, connect with your relationship manager.