A company's database administrator loves social media. He does not put any detailed information about his job on social media sites, but like many people, he includes numerous details about his family, hobbies, and interests outside of work. A hacker takes notice and gathers all the information he can about this individual from those sites. The hacker then calls the company, impersonating the administrator. He asks the company rep to reset his password, claiming he has forgotten it. The hacker is able to correctly answer all the standard security questions because of the information he gathered online. The rep resets the password, thereby giving the hacker access to the company's databases. The hacker then downloads more than a gigabyte of data that includes usernames, passwords, and credit card numbers. He also deletes all the data in the databases.
This is not a fictitious scenario meant to scare you, but rather an account of what actually happened to WHMCS, a company that makes online billing and support solutions. Could a nightmare like this occur at your business?
Even if your company has the most advanced security systems in place, hackers might still be able to get past them with relative ease. Instead of cracking those security systems, they might try to con your employees into giving them the information they need to access your business's accounts or computer systems. This is referred to as social engineering. Hackers like to use social engineering attacks because exploiting human behavior is usually easier than hacking security and computer systems.
Social engineering attacks can occur via email, over the phone, and even in person. Information about attacks that occur through emails — aka spear phishing emails — is abundant, partially because there is evidence (the email) to study. There is much less information about social engineering attacks that occur over the phone and in person. Few companies routinely record phone calls and have security cameras installed throughout their buildings, which is what would be needed to capture interactions between hackers and employees. Because there is little evidence from social engineering attacks that occur over the phone or in person, companies might not even realize how the hackers were able to access their computer systems.
Fortunately, social engineering experts are helping to fill this information void by revealing some common tactics that hackers use to carry out social engineering attacks over the phone and in person. Those tactics include impersonating people and playing mind games.
Conning Employees by Impersonating People
To perpetrate social engineering attacks in person or over the phone, hackers often masquerade as employees, like the WHMCS hacker did. However, they also might pretend to be suppliers, customers, or trusted outside authority figures (e.g., firefighters, auditors). For example, when social engineering expert Chris Nickerson was hired by a company to test its security systems, he bought a Cisco shirt at a thrift store and pretended to be a Cisco engineer who was working on the phone system. His ruse worked. He gained entrance into the company and hacked the company's servers.
To impersonate people, hackers usually learn the business lingo. When they use the acronyms and terms that a business's employees are accustomed to hearing, the employees are more apt to believe the hackers and do what they ask, according to Sal Lifrieri, a consultant who educates companies about social engineering tactics.
Besides learning the business lingo, hackers sometimes search the Internet for personal information that can help them in their impersonations, especially if they are masquerading as employees. Information found on LinkedIn, Facebook, and other social media sites can help answer security questions such as "Where did you go to high school?" and "What is the name of your favorite pet?" Plus, hackers sometimes search public records for information. For instance, marriage records can provide the answer to the security question "What is your mother's maiden name?"
Hackers also take other measures to make their ruse convincing. For example, if they are calling their victims, they often use caller ID spoofing. In other words, they falsify the information transmitted to caller ID displays to disguise their identities.
Playing Mind Games
Hackers play mind games with their victims. Even though the individuals are under attack, it does not feel that way to them. Hackers are able to pull this off several ways, according to social engineering experts Brian Brushwood and Chris Hadnagy. Common psychological tricks include:
- Projecting confidence: Instead of sneaking around, hackers approach people and draw attention to themselves. They act like they belong there and have nothing to hide.
- Using humor: Hackers use humor because it typically makes people feel more at ease.
- Giving employees something: When people receive a small gift or favor, it is human nature to feel the need to reciprocate. Hackers take advantage of this inclination, making sure that enough time has passed between their gesture and the favor they are asking for in return. They know that giving a gift and then immediately asking for a favor will be perceived as a bribe.
- Offering a reason for a request: People are much more likely to respond to a request if they hear the word "because" followed by the reason for that request, even if the reason is not very compelling, according to a Harvard research study. Hackers tap into this tendency and offer reasons for any requests that they make.
- Feigning trust: Gaining someone's trust typically takes time, so hackers usually do not try to get their victims to trust them. Instead, hackers try to make the victims believe that they trust them. This helps build a rapport, making the victims feel more at ease.
How to Protect Your Business
There are several measures you can take to protect your business from social engineering attacks that occur over the phone or in person. Employee education tops the list. You need to let employees know that social engineering attacks are not just limited to emails — they can occur over the phone and in person. Employees also need to be aware of the tactics hackers commonly use in those attacks.
Besides letting employees know about social engineering tactics, you need to discuss the dangers of providing too much information (both personal and company related) on social media sites. You might even consider implementing a social media policy that provides guidance on what company-related information they can post on these sites.
Another measure you might need to take is revisiting your physical-security procedures. For example, if you are not already doing so, you should lock your server room and escort visitors when they are walking through your office.
Finally, you can check with your IT service provider to see whether they have any further recommendations specific to your business. They can also provide a security assessment that includes vulnerability testing.