What is social engineering?
Simply put, social engineering is a tactic employed by criminals that uses human interaction in an effort to illegally obtain information about an organization or its digital assets. Often times, social engineering scams are designed to re-direct funds from an individual or company, unknowingly, to the criminal’s bank account, instead of to the legitimate account for which the payment was intended. Social engineering tactics can also be used in an effort to gain access to network credentials or other information to allow the criminal to further carry out their crimes, undetected.
What does social engineering look like and sound like?
Social engineering attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign, a plausible-sounding phone call from a criminal posing as a vendor, or even an on-site visit from a “fire inspector” who demands access to the company’s server room.
How can we prevent social engineering attacks?
Educating your employees is essential to minimizing the risk of social engineering. Even the best security system will fail if employees willingly allow unauthorized use of their workstations or email their system credentials to a criminal. In order to make your educational efforts stick, consider employing the following strategies:
- Encourage your employees to “Stop. Think. Connect.” The “Stop. Think. Connect.” campaign is a global initiative that encourages people to be smarter about online privacy and security. The motto is an easy-to-remember way to approach divulging sensitive information, both in person and online.
- Make a personal connection. The same principles that make your company vulnerable can make your employees vulnerable in their personal lives. Show employees how the same practices for security at work will make them more secure in their personal lives as well.
- Use “social proof” to your advantage. Social engineers will often deploy social proof—evidence of a large number of people or select important people engaging in a behavior as proof of its validity—in order to gain compliance. Use that to your organization’s advantage by making sure executives and managers make security a top priority as an example for the rest of the company.
- Train. Getting the information out there is important, but most adult learners retain more information when they receive interactive training. Consider specific social engineering training that encourages questions and incorporates interactive examples that relate directly to your employees’ work activities.
- Test. Make sure your educational and training efforts work by conducting regular tests. Despite growing awareness of social engineering tactics like phishing, large numbers of people still open emails. As a result, they click on links that they shouldn’t. Consider conducting an in-house phishing audit to find out just how many employees have taken their security training to heart.
You can trust your partners at Strate Insurance Group, Inc. to help identify and communicate security threats to your organization. We can also keep you up-to-date on new threats as they emerge.