After three decades of spam and malicious email on the Internet, most of us believe we’ve seen it all: The messages from that Nigerian cousin who wants to send us a fortune, the winning lottery ticket we didn’t know we bought, the work-from-home schemes that promise thousands, and the desperate ladies who email us to profess their affection. By now, we believe, we are immune to Internet fakes and frauds — and yet, there is a technique of deception that even the most seasoned leaders, suspicious CFOs, and careful managers eventually fall for: Targeted social engineering, in some cases also called Spearphishing. It’s a weapon of deception that is far more sophisticated than the bogus Purchase Orders we receive every week and the crude fake bank notifications that clog our inboxes.
Many malicious emails contain some component of social engineering. Whenever a hacker pretends to be a friend, customer, potential partner, or accountant, he uses social engineering to make us click that dangerous link or open that evil attachment. The emails that promise beautiful vacation photos or claim to come from our boss who demands a tax form or a quick bank transfer to Indonesia — that’s social engineering. What makes it a hundred times more dangerous and much easier to fall for, however, is the smart use of our personal information, turning a phishing email into a spearphishing attack.
Thanks to public LinkedIn profiles with details about our professional network, facebook pages that reveal family and friends, twitter feeds that indicate recent topics of interest, and massive data breaches that have put our credit card and social security numbers for sale on the dark web, crafting highly deceptive attacks has never been easier. Every piece of information that is publicly available about us on the Internet — or about our CFO, CEO, Head Of Procurement, and HR Manager — enables determined criminals to launch a targeted attack against your company within hours.
Armed with such personal information, attackers will exploit our carelessness, curiosity, fear, desire, doubt, complacency, and sometimes naivety to get what they want. Who would really refuse to cooperate if someone seemingly from the IT department calls us at home on a Saturday morning, mentions a couple internal details that only a colleague should know, and asks us to help with an urgent software upgrade that requires a password? Who would refuse to react if we got an email that actually comes from our boss’s account and demands a transfer to a company that really seems to be our client? And who will truly reject holding the door for a friendly, seemingly new colleague carrying a tray of take-away coffee into the office because she can’t reach for her door card just now?
The list of tricks is endless, they are hugely effective, and the damage can be enormous. How can we protect ourselves and our teams against exploits? The first step is awareness, but to really lower the risk of a successful attack, we must change our social habits in the corporate context. The routines we follow in our private lives, with friends and family, need some added circuit breakers for any professional context when company information may be at risk.
Defending corporate teams against targeted social engineering also requires a change in corporate culture: We need to create a culture where not holding the door for someone we don’t know is accepted behavior, not making bank transfers without first confirming the request via phone is routine, and not passing out internal phone numbers to alleged customers is the default. It also means accepting that every so often a real payment request may be delayed, and an actual customer may be offended, because someone paused and did a double take. Achieving this level of awareness and habit change is hard, takes time, and costs money. But it’s much cheaper than finding your customer database, employee details, and financial projections for sale on the Dark Web.