Social Engineering: Employees Could Be Your Weakest Link

Kaufman Rossin | ComputerWorld | October 22, 2015

Business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers.

Would your employees recognize a phishing email if they saw one? Social engineering, or the act of attacking the human element of information security, poses a significant risk to businesses. With the level of sophistication of cyberthreats increasing by the day, many organizations can greatly improve the steps they take to defend against these types of attacks.

Cybercriminals have long used phishing and other social engineering methods to trick their victims into providing access to confidential data, such as passwords, Social Security numbers or account numbers. But those techniques are growing in sophistication, according to Verizon’s 2015 Data Breach Investigation Report.

In addition to the tried-and-true method of sending legitimate-looking emails to unsuspecting victims, cybercriminals are now using social media and other popular platforms to launch their attacks. With many of these phishing schemes targeting employees, business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers.

While your business may invest heavily in its information security infrastructure, such as firewalls and antivirus software, these measures may not be adequate for mitigating the risk of social engineering attacks. If you want to protect your company from cyberthreats, do not underestimate the importance of the human factor.

Phishing attacks on the rise

Phishing attacks have been a factor in more than two-thirds of cyber-espionage incidents for the past three years, according to the Verizon report. Phishing is one of the most common and efficient (less time, less complexity and low cost) social engineering methods used by cybercriminals.

The Verizon study noted that more than 23% of recipients open phishing emails at some point, and 11% open the attachments — an unsettling number, especially for businesses with hundreds or thousands of employees.

And phishing is on the rise, according to APWG, a nonprofit organization founded in 2003 as the Anti-Phishing Working Group. APWG tracks worldwide information about phishing attacks. More than 197,252 unique phishing reports were submitted to APWG during the fourth quarter of 2014, the latest time period for which data is available. This was an 18% increase from the prior quarter.

Examples of social engineering attacks

Spearphishing is a specific type of phishing attack in which the attacker uses a fake email address to deceive an individual in an attempt to gain unauthorized access to personal information. This is a highly targeted operation in which the hacker has at least some information that he can use to make himself seem familiar to the intended victim.

Social networks are increasingly being used to perform spearphishing attacks. Cybercriminals can also use crawling sites to gather information from social media. And some are even using Google Drive to stage phishing attacks.

Here are just a few examples of the types of phishing attacks that you or your employees could fall victim to:

  • Via LinkedIn: A hacker creates a fake LinkedIn profile in order to target employees at a specific company. He uses the fake profile to access information about the targets’ current and past employers, job titles, email address and connections. This information could enable him to design a more effective spear phishing attack.
  • Via LinkedIn email: A hacker sends a fake email that looks like it is coming from LinkedIn. When the victim clicks on the link in the email to “accept connection request,” it takes him to a fake LinkedIn login page. If the user logs in, his login information will be compromised.
  • Via email attachment: An employee within the targeted organization receives an email with an attachment (e.g., fake invoice or report) for review. The attachment could look like a .zip file with an embedded PDF file icon, although it is actually an .exe (an executable file that runs a program). The downloaded malware file is installed on the business network where it has access to sensitive data, putting the company and its clients at risk.
  • Via email link: A victim receives an email pretending to be from a financial institution or other trusted source. The email contains a fake link to a fake website where the victim’s computer becomes infected with malware, allowing the hacker to access the computer remotely and steal personal information, passwords, user IDs and online transaction information.

How to boost your employees’ ‘hacker IQ’

In addition to establishing an information security program and using firewalls and/or content filtering to restrict access to potentially malicious information, it is important to train your employees.

Social engineering phishing testing can help you identify vulnerabilities and monitor the effectiveness of information security policies, procedures and training at your company. In these tests, an email with a fake link is sent to targeted employees. Employees who click on the link will be taken to a website with training resources about phishing, and test performance is measured and reported to management. A qualified consulting firm can assist your company by performing this testing quarterly or semiannually.

The greater an employee’s awareness, the less likely he or she will fall victim to social engineering attacks. In addition to conducting phishing tests, you can train employees on email and browser security best practices, including these tips:

  • Resist the urge to click links in a suspicious email.
  • Check the Web address of a link (by placing your mouse cursor over the link) and the sender’s email address before visiting the destination website.
  • Visit websites directly rather than clicking links in emails.
  • Be cautious of email attachments, even if it looks like it’s from a familiar sender.
  • Check for signs such as poor quality of the logo or email, poor grammar or misspellings.

Your employees can also be one of your company’s greatest vulnerabilities in the face of growing cyberthreats. However, with proper training, they could also be one of your best defenses against social engineering attacks.