Remote work has changed how many of us conduct our day to day work tasks and brought with it new cybersecurity dangers. Though social engineering has been around for decades, the shift to remote work has brought with it a resurgence in this common technique, and many organizations remain unprepared.
Social Engineering: A Brief Primer
Social engineering refers to the use of psychological manipulation to infiltrate an organization or private network at the human level, tricking unsuspecting users into revealing or providing access to sensitive information. Unlike other forms of hacking, social engineering can’t be guarded against using only technology because it exploits the human desire to help and trust easily as well as a fear of trouble or inconvenience rather than relying on technological vulnerabilities.
Social engineering typically happens over email or other forms of communication (such as the phone or text messaging) and is used to invoke fear, urgency, or similar emotions in the victim. This psychological distress causes the victim to click the malicious link, open the malicious file, or promptly reveal sensitive information. The psychological nature of this form of attack means they are difficult for organizations to prevent.
The only way to defend against social engineering attacks is to educate your employees about the dangers of social engineering, how to spot suspicious requests and steps they can take to thwart potential attacks.
How it Works
This attack can take many forms but may go something like this:
The attacker calls or emails your support desk, pretending to be an authorized user. Using this persona, they tell the help desk that they have forgotten their password or are otherwise locked out of their account and concoct a believable story to support this claim. For example, if your organization uses 2-factor authentication, they may claim they dropped their phone in the toilet, so now they can’t receive the necessary verification code.
Using this story, the attacker will convince your help desk employee to reset the target’s email address, password, or other information, thereby providing the attacker with access to the victim’s account. The attacker now has complete access to the victim’s account and may use this access to either steal sensitive information or launch subsequent social engineering attacks using the victim’s email (adding a layer of believability to future attacks).
Cybercriminals may also use social engineering to try and manipulate employees into handing over sensitive information by posing as an authority figure, such as a manager or client. Good employees want to be helpful and may be tempted to co-operate without verifying the requester’s identity first.
How Remote Work Makes Social Engineering More Effective (& Dangerous) Than Ever
Remote work has brought with it a significant reduction in the number of face to face interactions workers have with one another and with clients. While in the past, an employee could verify a suspicious request from a co-worker simply by heading over to their co-worker’s office and asking, now requests and collaboration are happening almost entirely online.
It’s significantly easier for someone to hide their identity online than in person, and as organizations continue to adjust their policies to reflect the reality of remote work, cybercriminals are taking advantage of the uncertainty around new protocols, procedures, and ways of doing things.
For example, a cybercriminal can now explain away the fact that they aren’t calling you from an official business phone number because they are working from home and have to use their home phone. Or maybe they need you to do something for them because you are one of the few workers still onsite. Or maybe they ask you to hop on a video call, but they can’t use their video because they have a “poor internet connection”, so you can’t visually verify who you are speaking to.
How to Recognize Potential Social Engineering Attacks
Be wary of unsolicited advice or help, particularly from sources you can’t immediately verify with absolute certainty. This particularly holds true if the person making the request is asking you to do something, such as click a link, download a folder, or re-set a “compromised” password. Any requests for personal information (such as a password, credit card info, or Social Security number) is likely an attack.
Do not provide any personal or sensitive information, and do not click on any links or open any files. If you have been contacted by phone, hang up and contact the company directly using a method you can independently verify (such as an email address or phone number from their website).
Don’t Be Hasty
Social engineering attacks are designed to elicit one of two reactions: total lack of suspicion (so you don’t realize you are handing over access to sensitive information) or panic and fear (to prevent you from thinking rationally). Be cautious if you receive a call from anyone claiming to be from tech support. Tech support personnel are busy enough that they aren’t likely to reach out to check if everything is going fine and instead typically wait for users to contact them with specific problems. They may pretend they are following up with you, but unless you remember putting in a request ticket or can verify that you did (by, say, checking your sent emails), don’t engage.
If the person contacting you is trying to make you act quickly, they may be trying to override your better judgment. You should also be aware of sob stories or any other stories designed to manipulate you. When in doubt, ignore the email or hang up the phone.
Always Double Check
The best thing you can do when you suspect someone has tried to social engineer you is to cross-reference the information they provide and double-check with trusted sources. If your “boss” asks you to do something that seems suspicious or out of character, pick up the phone and call them directly to verify the request before proceeding.
If someone contacts you and asks you to disclose information or perform a task, always verify that the request is legitimate before taking action.
Steps You Can Take to Safeguard Your Organization
You can’t create good policies and educate your employees on best practices if you don’t know what threats to look for. Stay up to date on the latest cybersecurity threats and pay particular attention to new phishing or social engineering scams that are making the rounds. If you don’t know what types of attacks are out there, you won’t be able to prepare your organization to defend against them.
You should also be aware of common “pretexts” social engineers may use, such as posing as an internal employee with computer problems or an external consultant hired to take a survey or perform an audit. In cases like this, employees should know to always verify with their manager before divulging any information or providing any assistance. It’s better for an employee to cause a slight delay by verifying a request then comply without question and potentially compromise your organization’s security.
Write Good Policies & Invest in Employee Training
Having clear cybersecurity policies is great, but for them to be truly effective, employees need to understand why these policies are important. It’s vital that all team members realize the important role they play in safeguarding the organization’s digital assets. Make sure you review and update your cybersecurity policies regularly so that they continue to meet your needs.
Cybersecurity is everyone’s responsibility; make sure all new hires undergo rigorous cybersecurity training and that all employees, from the most junior intern to the CEO, are undergoing regular refresher cybersecurity training.
Make sure you provide employees with a clear set of guidelines on how to respond to common situations. You can’t plan for every possible scenario, but without guidelines, employees may revert to actions they perceive as helpful, causing them to reveal sensitive information inadvertently. Make sure all employees know that if they are unsure about a request or feel it might be suspicious, they should hold off on responding or taking action until they have contacted their boss or another decision-maker and verified that the request is legitimate.
You also need to ensure you are creating a company culture that values security. Telling your employees something important is one thing, but unless your company leadership is leading by example, the message won’t stick.
Keep Your Software Up to Date
Out of date software poses a lot of security threats, which is why hackers frequently use social engineering attacks to determine whether your company is running the latest version of a program or an older, un-patched version that they can exploit. Keeping your software up to date cuts off potential avenues of access to hackers, making it more difficult for them to access your systems even if they are able to sweet talk their way in.
Pause & Reflect Before Sharing
If someone asks you for personal or sensitive information, make sure you pause and reflect before answering. Ask yourself if they actually need the information they are asking for. If it seems unlikely or you aren’t sure, politely decline to provide the information. If the requester persists, escalate the request to your superior or contact your cybersecurity team before you consider responding.
While most individuals try to be helpful and friendly, employees need to understand that this great attitude needs to be tempered with restraint.
If you suspect someone is asking for information you shouldn’t release, verify the request with your manager before responding, and make sure all employees know to do the same. This pause and verify approach may cause the social engineer to back off, but if they redouble their efforts, calmly explain that you need to verify their request with your manager before complying. This can be difficult to do on the phone since most people don’t want to be rude, but in this situation, it is better to step away and verify than give in and potentially compromise your organization’s security.
Make sure employees understand that in this scenario, it is better to potentially be perceived as rude and take the time to double-check then blindly offer assistance in the name of good manners.