Risky Business: Social Engineering

Cons…hustles…frauds…rackets…whatever your preferred terminology, tricks that take advantage of human vulnerabilities fall under the umbrella of “social engineering.” The notion of exploiting someone’s good nature for personal gain is older than Judas and may seem completely disconnected from today’s high-tech landscape. But the reality is that technology only serves to magnify the scope and reach of social engineering scams.

From phishing emails and SMS phishing (smishing) messages, to voice phishing (vishing) calls and in-person ploys, social engineering threats are pervasive, persistent, and damaging to individuals and organizations. And technical safeguards are no match against poor decision-making in these situations.

The human component is a critical factor on both sides of the equation. On one hand you have scammers who tap into human weaknesses, devising deceptions that seem real and believable. But on the other hand is the fact that these scams have no legs unless the marks allow themselves to be manipulated. It all rides on the recipients; without buy-in, there is no success.

At Wombat, we know that employee behaviors make or break a social engineering attack. Industry experts agree. The results of an October 2014 Dark Reading flash poll revealed that 56% of security professionals find lack of employee awareness to be the most dangerous social engineering threat to their organizations. That’s why it’s so critical to teach users how to recognize scams and react appropriately.

Three Risky Behaviors to Address

At Wombat, we design our interactive assessments and training modules to give employees insights into real-world social engineering attacks, providing hands-on practice that helps users identify and evade traps. Following are three key behaviors our security awareness and training programs can address and improve, reducing risks within your organization:

1. Clicking without thinking – Phishing emails and smishing texts — even the most believable of the bunch — are nothing without interaction from users. Our assessments and training teach employees how to recognize dangerous messages, how to identify malicious links, and what to do with attachments and forms.
2. Sharing too much over the phone – How easy is it to pretend to be someone you’re not over the phone? Ridiculously easy. The anonymity offered though voice-to-voice connections is the bedrock of vishing schemes. It’s critical that your employees know the warning signs associated with these types of attacks and the precautions they can take to ensure they don’t reveal sensitive information to unauthorized individuals.
3. Giving imposters access to secure areas – Many social engineers are confident and brazen enough to execute their attacks in person. We teach your employees how to thwart imposters — including those who present themselves as technicians, vendors, and even coworkers — and how to respond to techniques like eavesdropping and tailgating.