October is National Cyber Security Awareness Month. Have you talked to your employees about social engineering?

When we think of cyber security, we often think of the technological advances we can implement to protect our networks from hackers. Technological advances are great – they do help us keep our networks safe. But so often cyber criminals are taking advantage of human interaction. They may use trickery, deception, and urgency to extract personal information from their victim – and that is social engineering.

Types of Social Engineering

We talk a lot about phishing with our clients and here on the blog. Did you know that phishing is a form of social engineering? Phishing attacks solicit personal information often through email. Hackers may threaten an account closure or offer a reward that seems too good to be true. The message may look like it’s from a known contact or familiar brand. Phishing emails can contain dangerous links that release malware if clicked. While email is a common vector, these attacks may come through phone call (“vishing” or voice phishing) or text (“smishing” or SMS phishing) as well.

Baiting is another form of social engineering. A criminal may leave a USB or other removable hard drive that contains malware out in the open where someone (perhaps targeting employees of a certain organization) may pick it up and (if the criminal is lucky!) plug it into their network to figure out the owner.

Holding the door open for the person behind you is a common courtesy, right? Yes, it is. But criminals try to take advantage of your good manners by tailgating or piggybacking, another form of social engineering. These social norms do not apply when an unknown person is entering a space behind you that requires a badge to access the area.

Preventing These Attacks

If you see someone in your workplace that isn’t familiar, it’s okay to ask to see their identification or ask what they are doing in your workspace. If you would rather not confront a stranger directly, you can alert a co-worker or your supervisor. If the person gives you an explanation, find someone in the office who can confirm it.

If you find a USB or removable hard drive in or near your workplace, turn it into your company’s help desk. They should have the tools to examine it without putting the network at risk. If your office requires a badge to enter, let the person behind you know that it’s policy (make it a personal policy if it is not a formal work policy!) to have each person badge in separately. It may be uncomfortable to do this, which is why criminals target people in this way. They hope your discomfort will get in the way of your better judgment.

Criminals are likely to be more plentiful and bold online. It’s a low risk scam to send a phishing message: the hacker stays anonymous, and the typical worst case is that their attempts are ignored. It’s important to review any message (email, text, voicemail) with a critical eye. Ask yourself these questions: Do you recognize the sender? Is the message typical for the sender? Are they requesting any personal information? Are there links in the message?

It’s important to be aware of the potential scams around you, both online and in person. Criminals are looking for an easy mark – be a hard target and stay aware!