Social engineering is an art form.
Whether it’s a spoofed email, phone call, or download link, social engineering is a researched and effective tactic to get you to give up confidential information. Social engineering not only can affect you, but can affect your business if proper permissions, network monitoring, and processes are not put into action. To help you visualize what is going on, here are a few scenarios we have seen in the last few years:
1) Compromised Employee LinkedIn profile – A finance employee had a poor password and their account was compromised. The social engineer could see all information on that employee’s contacts, relationships, and conversations. The social engineer was able to determine the common correlation between the finance person, the owner, and also that they were in financial trouble via her job search. Therefore the social engineer hackers sent a spoofed email to the finance person as the owner asking them to send a wire transfer of $50,000 to an overseas bank. Unfortunately, she actually did it, but thankfully the bank was able to get the money back. She still has her job, but they have a new process.
2) A C-level employee was sent a spoofed email appearing as if it was their attorney explaining that they were being sued. the spoofed email stated that they were being served papers electronically and to click the link to review the lawsuit parameters. Their Watchguard firewall did not allow them to get to the website based on the WatchGuard security suite firewall technology running in the background.
3) A “social engineer” called as Microsoft and told an employee the licensing on their computer was not legal – and that they wanted to remote in to fix it or they risk being sued. Due to proper network permissions, they were unable to install the software to allow the hacker to remotely control her device.
What can you do?
Be skeptical – If it looks like a steak but smells like a fish – it probably isn’t right. Create and review your operating procedures with your staff – such as a proper process on wire transfers, support, and social media.
Standardization – Set up protocol like a standardized email signature company-wide on every device – PC, Phone, Tablet, etc. As spoof emails generally cannot include a well-done email signature that everyone is familiar with – it is an easy way for an employee to be even more skeptical when they see an email arrive internally without it.
Proper Permissions – Verify your standard employees on a Microsoft network are set to standard – and not administrators. If an employee accidentally falls for a social engineering phone call, with a standard windows account they cannot install anything without your approval.
Network Security – Have your network assessed for network security best practices. All of our VitalCare IT Managed Services clients have a comprehensive layered network security solution from Antivirus to Firewall tracking.
As always, contact us with any questions you may have.