Ask the Expert | Winter 2021

How to help keep your company safe from social engineering cyber attacks

By Sue Ostroswki

Your business may employ every high-tech security measure available, but the human factor can still leave your company vulnerable to becoming a victim of fraud through social engineering.

“Social engineering is a term for someone getting you to do something you wouldn’t normally do by exploiting psychology,” says Don Boian, cybersecurity outreach director at Huntington. “It is the act of manipulating, influencing, or deceiving someone in order to gain access to information. And if you don’t have good human security processes, it doesn’t matter what software you have.”

Examples of social engineering include posing as a trusted source in emails or phone calls to get access to information, or something as simple as getting someone to hold the door to gain physical entry into a secure area.

“You need to understand what social engineering is, that it exists, and that you potentially have a problem,” he says. “It really starts with someone getting just a little bit of information from someone within your company who wants to be helpful.”

Resisting inherent helpfulness

You may encourage a culture of service and kindness, but a healthy dose of skepticism may help protect your business. Because most employees want to help suppliers and customers, employers need to train them to be suspicious, and always confirm who they are talking to.

“Remind employees to verify that a request is coming from an internal source before releasing information,” says Boian.

And do the same with emails. For example, someone could pose as an internal source by creating an email address that replaces an “i” in a company’s name with the number one. If you’re not looking carefully, you may release private information that someone can use to gain access to your company’s data.

“Delete suspicious emails, and don’t click on suspicious sources,” says Boian. “Don’t download software, and don’t browse untrusted sites. Never share personal information, and make sure your software is up to date.”

He also recommends flagging emails that come from an external source, and stresses that employees should be extra cautious about them.

“You really need to have procedures in place,” says Boian. “If someone asks for personal information, what are your processes and protocols to verify they are who they say they are, especially if they claim to be a customer? Say you’ll call them back at the number you have on file. It’s critical to know who you’re talking to.”

Guarding staffing information

Beyond basic leadership profiles, Boian says it’s not a good idea to post staff information on the Internet.

“If you put information out there about your people in accounts receivable or finance, that gives a scammer an access point to start making the rounds,” says Boian. “It used to be that the bad guys just reached out blindly, but now they are doing their homework, and finding targets of opportunity. They are much more thorough and understand who they are attacking.”

He says fraudsters will use open-source information to gain knowledge about a company, its leadership, and how it operates.

“They gain a little bit of knowledge and use it to get more, so you don’t want that information out there,” he says.

Fixing weaknesses

Efforts to gain access to information have increased during the COVID-19 pandemic.

“When we are stressed out, we are more emotional and make decisions more quickly,” says Boian. “In fight or flight mode, we don’t engage a logical thought process, and that is much more likely now. Bad guys know that, and they’re taking advantage of it.”

“A lot of healthcare systems recently have been held hostage for ransom,” says Boian. “The hospital thinks, ‘We’re in the middle of a crisis, I’m not even thinking through the options, I’m just going to pay.’”

However, doing so leaves your business vulnerable to the next attack.

“Paying will make them go away for a while, but they exploited some weakness to get you to the point where you have to pay,” says Boian. “If you don’t identify and fix that weakness, you’re still vulnerable to another attack—and you’ve already proven you will pay. You still have weaknesses you need to resolve. It’s not as simple as you pay, they give you your data back, and you move on.”

He says nearly every business today is reliant on technology, making every company a potential target.

“For example, healthcare records are all electronic, and if the system goes down, your doctor can still talk to you, but he has no access to records,” Boian says.

He says today’s systems still leave too much to humans, and it’s going to take the whole nation to turn that around, whether through education, standards, and/or enforcement.

“We will always have bad guys who can figure out the weakest link,” he says. “And if they can’t figure out a way to get information through technology, they use human weaknesses. There are many scams targeting people, and at the root of them is social engineering.”

For more information on social engineering, and how to avoid it, connect with your relationship manager.

Protect your business

Protect your business and then Huntington's Business Online banking platform offers multiple fraud mitigation resources to help you protect your accounts against both paper and electronic fraud.
Learn more

“UK and US Security Agencies Issue COVID-19 Cyber Threat Update.” Cybersecurity & Infrastructure Security Agency. (April 8, 2020).

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering financial, legal, technical or other professional advice or services, or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL HAVE LIABILITY FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.