How to Protect Your Business From Social Engineering Attacks

More than two-thirds of hacking happens without having to break into accounts or install viruses but by simply asking an employee to hand in valuable information, having a convincing pretext. Skilled hackers can morph into different roles - a janitor, an employee, tech support, and even CEO. 

Choosing an advanced solution to keep your data safe and secure is the first critical step you need to take to protect your business from losses. And then secure the weakest link in your organisation, your people. 

Hackers are clever, creative, and know how to find ways around barriers. But being aware of the common attacks and how hackers think, educating your employees, and testing them will make hacking a much more difficult game.  

Reverse engineer it

Social engineering is knowing how to tell a convincing story about why you need certain information or access to a place - scamming, phishing, identity theft, or simply asking. 

The first step is to research the target - your email, address, phone number, client list, and any other valuable information that can be found. Google your and your company name to know what comes up and what information might make you vulnerable. Check what you have shared through your social media channels and if it can be used against you. 

Question everything. The front door of your office building might be secured but is there a back entrance that employees use to go out and smoke? The janitor has keys to all rooms. Do your employees know who he or she is? 

Imagine that you are the hacker and do your own research.

Understand the most common social engineering attacks

Sending an email that seems to come from a reputable source

Also known as phishing, this attack is one of the most common ones. It tricks you into clicking a link that looks like it's coming from your bank, PayPal, Amazon, Facebook, or other reputable sources. 

The goal is to download a virus on your device or make you input your password/ personal information. 

Even though the majority of users now know about phishing, this basic attack is still a threat to watch for and educate your employees about. Always check the email of the sender or the spelling of the website. If in doubt, don't click the link. Go directly to the website and log in from there.

Calling on behalf of a reputable source

This is a more advanced social engineering attack that involves having a conversation with the target over the phone. 

If someone from your bank calls to tell you there is a problem with your card and asks for your personal data like address or date of birth, ID number, or PIN then tell them you will call back later. Your bank should have all this information. Call back using the phone number on your card to make sure that you are speaking with an actual representative. 

Never share sensitive data over the phone, unless you are 100% sure who you're talking to.

Leaving an infected USB stick or another external device in a place where your employees can find it and get curious to see what's on it

If there is a random USB stick laying around you or your employees might feel tempted to plug it in and check what's on it or who does it belong to. It's better to leave it unless you can identify the owner. Baiting is a common technique that preys on your curiosity. But as they say, “curiosity killed the cat.”

Getting inside the building 

How many ways of getting inside your building can you think of? Often times, this is done through the main entrance. Advanced hackers know how to exploit their charm and convince security guards to let them in by telling a good story. “I have a meeting with X", “I am delivering a package", “I am coming to leave my CV and check if they are hiring” are just a few examples of how hackers can make themselves seem unthreatening.

Having a process of who to let in and who to notify when an uninvited visitor comes can save you a lot of trouble. Check every entrance that your employees use.

Dumpster diving

Even if you have a shredder, a careless employee might throw away a piece of paper that discloses sensitive information. And if you are a target, your bin could be getting a regular checkup. 

Using a safe and secure virtual data room to store and share valuable information can prevent mistakes that can cost you millions. 

Get ahead of the game

Now you know how social engineering works and why it's an invaluable part of hacking. Don't assume that it won't happen to you. There can be many reasons why someone might target you - revenge, challenge, competition, stealing money or information. Like in chess, it's always best to think a few moves ahead. 

Social engineering is a psychological game.