Protecting Against A Social Engineering Attack, From Phishing Scams To Road Apples

Page content

Social engineering is the act of manipulation people into doing what you want in order to gain access to information or resources. This article will explain what you can do to protect your business against a social engineering attack.

Wikipedia defines social engineering as, “a collection of techniques used to manipulate people into performing actions or divulging confidential information.” Some common forms of a social engineering attack include:

  • Email phishing scams. The most common form of social engineering attack, email phishing scams attempt to get people to disclose personal information, such a their banking details, by directing them to a spoofed web address. While most people are aware of phishing scams, an enormous number of people still become victims. According to Gartner, 3.6 million people lost $3.2 billion to phishing scams in 2007.
  • Road apples. In a road apple attack, a malware-infected storage device, such as a USB drive or DVD, is left in a location in which it is bound to be discovered by an employee of the target company – in the parking lot, for example. Studies have shown that the majority of people are more than happy to plug their newly found USB drive into their work computer, and consequently such attacks have the potential to be extremely effective.
  • Spear phishing scams. A variant of the phishing scam, spear phishing relies on publicly available information, such as that which can be found on the company website, to craft targeted and credible-sounding emails which encourage the recipient to open an infect attachment. In 2006, the US State Department was compromised by such an attack.

Social engineering attacks can often rely on some extremely basic tactics. How many times have you held open the office door to a stranger enabling them to enter the building without needing to use a passkey? Would you insist that somebody claiming to be from the company which provides your IT support shows ID before allowing him to sit in front of your PC? What would you do if Bob from the Help Desk phoned and asked for your password so that he could “do a reset”? Most people have a trusting nature and it’s that trust which social engineers seek to exploit.

Safeguarding Against a Social Engineering Attack

Some basic steps you can take to ensure that your business does not become the victim of a social engineering attack:

  • Education. According to former hacker Kevin Mitnick, “You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” And he’s absolutely right. Security is really about the people and education can act as a patch for any vulnerabilities in your wetware. Train your employees in order to raise awareness and make sure that they understand the risks.
  • Block spam. In blocking spam you’ll also be blocking a major source of social engineering attacks: phishing emails. See our article: Finding The Right Spam Filter: How to Choose an Anti-Spam Solution.
  • Turn on a phishing filter. Most web browsers, including Internet Explorer and Mozilla Firefox, include an anti-phishing filter. Turn it on: it’s an extremely easy and no-cost way to block malicious websites.
  • Protect your information. Social engineers use whatever information they can find in order to gain your confidence (they are, after all, confidence tricksters). Don’t make life easy for them. Shred documents to ensure that dumpster divers come up empty handed, provide secure storage so that your employees can lock away sensitive documents, control access to your premises, and encourage your employees to think carefully before posting company information to blogs or social networking sites.

One final piece of advice: many social engineering attacks succeed because employees are confused about what action should be taken (“This email seems a bit suspicious, but I don’t know who I should report it to”) or are concerned about the consequences of their actions (“Will the boss be angry if I don’t let this person fix my PC until I’ve checked out his ID?”). Make sure that your employees know where to report suspicious incidents and exercising caution will never land them in trouble!