According to GetApp’s recent data security survey, only 27 percent of companies provide social engineering awareness training for their employees. That means nearly 75 percent of businesses could be leaving their employees to fend for themselves against masters of manipulation. Companies must train employees on how to recognize social engineering techniques that are designed to exploit human nature for access to sensitive company data.
Social engineers typically investigate an individual or organization before carrying out attacks such as spear phishing or business email compromise (BEC). This includes conducting background research using social media, corporate websites, Google maps, and public records. Armed with this knowledge, scammers are able to conduct their schemes inconspicuously, put employees at ease, and even build a rapport with their targets.
This is often easier than you might think. For example, Venmo is a peer-to-peer payment platform with a social networking element that allows you to see other people’s activity. Venmo transactions are made public by default so a significant percentage of the company’s 40+ million users are broadcasting payment information that gives insight into relationships, interests, and routines. This is information that can easily be used to manipulate or impersonate a user.
Once they have the background information they need, social engineers target:
Network credentials (e.g., username, password)
Network information (e.g., IP info, network topology)
Company organizational charts
Recommended reading: How to Remove Personal Information the Internet
Most people are trusting and willing to help others: It’s two of the primary human characteristics that have allowed us to build a successful society. But some see generous human nature as something to cynically exploit for access to information and profit. Several elements of human nature are targeted by social engineers, including:
People generally act to help others altruistically and are not usually suspicious of others’ motives. Recognizing this, social engineers often prompt victims to act out of an unselfish desire to be helpful. This is often positioned as needing help verifying information or assistance solving a problem for a client.
People commonly act out of a desire to avoid conflict, even when they’re unsure. For example, when accessing a secure building, it’s common to allow someone to piggyback without authentication, whether they’re recognized or not. Rarely will someone stop the person, explain their valid concerns about building security, and refuse entry.
People are generally conditioned to comply with requests or commands from superiors and authorities without asking questions. For this reason, social engineers sometimes pose as a company executive or as a government official. This is the basis for W-2 schemes whereby a fraudster poses as an company executive or IRS official demanding tax documents.
Pretexting is the practice of fabricating a scenario or lying about one’s identity to deceive someone into providing privileged information. Pretexting is a social engineering technique commonly employed through email, over the phone, or in person. If a criminal can convince an employee that they are calling from technical support, the employee might provide their network credentials without thinking twice.
Even laws designed specifically to protect privacy and improve transparency can be exploited by social engineering techniques such as pretexting. At the recent Black Hat security conference, researcher James Pavur revealed the ease with which he exploited GDPR’s right of access provision. Under the auspices of the European privacy law, Pavur used various social engineering techniques to obtain his fiancee’s data from numerous websites without providing proper identification.
It’s easy to place blame on employees who fall prey to social engineering techniques, but the fault usually lies with underdeveloped security policies and lack of regular training.
GetApp’s recent data security survey found that 43% of respondents report that their company does not provide data security training on a regular basis; 8% reported never receiving training. Much like malware and other security threats, social engineering techniques are continually evolving and becoming more sophisticated. Organizations must provide regular security training and ensure that it’s up-to-date.
Prior to conducting social engineering awareness training, you should send out a survey asking about employee security practices. This can include questions such as “How often do you reuse passwords?” with answer choices such as “never, occasionally, often, and always.” Gaps in security hygiene can be used to inform training classes and improve security policies. Phishing tests can also be used to gauge employee susceptibility to social engineering techniques.
But training isn’t enough. Once they’re aware of the methods used for manipulation, employees must be empowered to use their best judgement and trust their instincts. This doesn’t mean your staff needs to be paranoid, but they should have a security mindset and view themselves as guardians of the company’s data.
If yours is one of the overwhelming number of businesses that don’t provide social engineering awareness training, consider developing a course tailored to your specific risks. A variety of training and learning management system software is available that is as effective as it is easy to use.
The data security survey referenced in this article was conducted by GetApp in June 2019 using Amazon Mechanical Turk among 714 respondents who reported full-time employment in the United States.