What if I told you that I would give you one million dollars in exchange for your address, date of birth, Social Insurance Number and credit card details? As a business owner, father, husband, part-time sailor and seemingly real person you might be inclined, if only slightly, to believe the offer to be true. Before you start emailing me with all this sensitive data, please note that while I am very real, the offer itself is not (because if I had an extra million dollars laying around I would be on a boat somewhere and not at my desk writing a blog during another grey Vancouver afternoon).
Unfortunately, these days it is easier than ever for someone to impersonate another individual over the Internet or simply create a fictitious character using social media. And once that is done, these phonies will start making questionable offers like the one above that you want to believe is true despite the fact that it seems rather suspicious. Some people will even put aside those suspicions and willingly offer up personal information. However, that million dollars isn’t coming and you have just become the latest victim of social engineering.
When small business owners think of online threats, they tend to jump to things like viruses, Trojan horses and malware. The reality is that without social engineering, these threats on their own won’t trouble your company. You or an employee, needs to be manipulated into letting your guard down in order to download these things. Yet so few companies place an importance on this aspect of security.
Instead, they go out and buy the biggest and baddest firewall, install the most cutting-edge anti-virus and even put a chastity belt on their server. Well maybe not the last one, but you get the idea. In many cases, this is all for nothing. The human element still leaves room for intruders to make their way into your systems and networks. Unless your staff is comprised of robots, there will always be a chance of a security breach happening at your company.
Social engineering comes in many shapes and sizes so let’s take a look at a few of the different types out there and what can be done to protect yourself.
If you have ever received an email from an African princess in distress, claiming that if you wire her $500 she would be able unlock her funds that had been frozen in a Swiss bank account, you know what a phishing email looks like. However, the ones that target small and medium-sized businesses are far more complex and realistic than this and are actually considered to be spear phishing as they are targeting your business specifically. In fact, phishing and spear phishing can come in all different forms and from numerous senders but the end result is always the same. They want to make money off your business.
Let’s look at our neighbours in the south for an example of this. The city of Snoqualmie, a sleepy mountain town roughly 30-minutes east of Seattle, saw their fire district have to pay USD700 to hackers who were able to install the CryptoLocker virus on their systems leaving them with no access to vital files and systems. The Snoqualmie Fire District had a number of security measures in place but one simple spear phishing email was able to bypass all of this.
According to the Issaquah Press, the email was disguised to look like an invoice from the fire district’s dispatch center. It was forwarded from an account that looked like the fire chief’s to an administrative staff member who opened it and proceeded to follow a set of instructions designed to disable the security measures and install the virus.
The key thing is, the fire district wasn’t specifically targeted. It was simply another target for hackers who probably send out thousands of similar emails from compromised accounts or ones designed to mimic real email addresses. It takes a hacker less than ten minutes to look at your organization’s website, obtain a bunch of emails addresses they can send the spear phishing email to, get some basic background on your company and then shoot off a mass attack hoping just one person takes the bait. And thousands of small businesses end up falling victim to this kind of attack each year. Some may block access to your data and others will simply steal your company’s sensitive information. Both will cost your business time and money.
Having good email and spam protections in place is a start. A lot of times these are able to eliminate suspicious emails before they ever make it to an employee’s inbox. However, these are not 100 percent foolproof and you need your staff to be careful when opening emails. For instance, you might be wise to put a policy in place banning the downloading of any zip file attachments that are much more likely to contain malicious software.
Also setting some standards for communications between employees will help eliminate potential problems should someone at your business have their email account hacked. For instance, create an ID policy that requires personal information to only be shared face-to-face or over the phone if necessary. It’s a good idea to avoid including hyperlinks in employee email communications too. Doing this will help make it easier to spot a fraudulent email from a real one.
Fear is one of the strongest emotions and it can make people act hastily giving little to no thought as to what they are doing. Scareware is a form of social engineering aimed at taking advantage of this moment of weakness by informing users they have a virus and that the only way to remove it is by downloading a specific anti-virus program. These “anti-virus” programs almost always contain viruses themselves and before a person realizes what he or she has done, it is too late.
The thing about scareware is that it lurks in seedy corners of the internet where racy celebrity photos, free money offers, really cute cat photos and other low hanging fruit reside. Chances are, the people looking for this stuff won’t know what scareware is and believe these popups and notices are in fact genuine. They will be tricked into taking action once a pop-up proclaiming their computer or workstation has been infected and before you know it your entire company has been infected.
Ideally, your staff would be clever enough to avoid websites where scareware would reside but if you are concerned about your employees’ internet usage habits, installing internet monitoring software can make sure those sites are inaccessible. It is also important to convey to your workers that if they think their computer does have a virus, they should contact your IT department or MSP immediately and not download anything from the Internet.
Another more targeted form of social engineering is baiting. This is because someone has to leave behind a physical device like a USB drive or CD somewhere near your premises or perhaps even send it to an employee through the mail. This type of attack preys on the curiosity of whoever receives the device hoping they will be intrigued enough to open it on their work computer. And while there may be a few dummy files for the person to thumb through, one of them will likely contain some sort of malware that makes its way into your company’s networks.
A good anti-virus that scans external devices will help detect some of these threats and warn users not to open files. More importantly, unless an employee can verify where a device came from, they really have no business using a work computer to open the file. It would make more sense to take the USB or CD that they picked up in the parking lot to the lost and found since that is where its rightful owner would look for it. If no one claims it, chances are it was designed to hurt your company and should be disposed of immediately.
At the end of the day, malware and viruses are what will hurt your business but those can only make their way onto your systems through the actions of employees. No piece of malware ever leisurely walked into an office building and downloaded itself onto a network. It had to have been downloaded from somewhere or someone had to remove the security filters at your business to give it access.
That’s why it is absolutely vital that you train employees not only on the threats that are out there and what they look like, but also on how to respond logically in situations where emotion might normally take hold. If they act based on fear, curiosity, greed or negligence, your company could be in a lot of danger. While good security measures can help, employees must be trained and retrained to ensure you are truly protected.
We take security very seriously at Dyrand. And while we can’t convince each and every one of your employees to do the right thing when it comes to using email and the internet, we’ll make sure damage is limited and systems are up and running ASAP should something happen.