You’ve probably seen it on a TV show or in a movie. A couple of people, typically dressed in khakis and polos, carry some sort of computer equipment into an office and convince the receptionist that they’ve been called in to install something or fix something. A new wireless repeater is needed, or maybe someone needs a webcam set up. In these scenes, there’s typically a sense of urgency – “before the big meeting at 2 so it has to be done RIGHT NOW” – and, in true dramatic fashion, there’s also a sense of “if you don’t let us do this, YOU will be in trouble.”
Welcome to the social side of cybercrime.
We’ve talked about emails and file downloads and the various things that cybercriminals will do to gain access to accounts and passwords, but the absolute easiest way for local hackers to get access to everything they need to hold your business hostage is to simply walk right in like they belong there.
Think about it. Are there people YOU would let in to your business without much scrutiny?
- “Hi, I’m the building inspector. We got a report of a foundation crack and I’m checking all of the offices in the building to see if there are any issues.”
- “Hi, I’m from the power company. We have a short circuit in the main panel and need to do a circuit check in your computer room ASAP to make sure we don’t have a fire hazard.”
- “Detective Watson here. We have a fugitive hiding in the building and need to search. He could be dangerous. Get out of the way please.”
Those are a few of the “walk in like they belong there” scenarios. But what if the hackers aren’t local? Are there social things THEY can do to gain access to your systems?
You bet. The most obvious thing they’ll do is call you. And they can be SO convincing when they do.
This tactic works well when you’re in a business with multiple offices OR with off-site IT support: “Hi, this is Bob from IT. Our monitoring shows that your machine has a virus. Have you downloaded anything recently?” That’s how it starts. It ends with the person on the other end of the phone asking you for – and you giving them – your username and password for your PC and for your email account (at the very least) – so they can “try to replicate the issue on [their] end.”
Only later do you find out that there is no Bob from IT. Or there IS a Bob in IT but he didn’t call you… and it could be MUCH later – days or weeks or even months – before you realize that you have been “socially” attacked. Maybe you don’t even think about it until after an attack has occurred and you and your team are trying to figure out how the hackers got access.
Because that happens EVERY DAY.
In fact, some studies suggest that hackers can have access to your whole network for several months before they try anything nefarious. So they’re sitting in your network, learning all about everyone – what they do, how they work, what emails they send, what funds or secrets they control, etc. – so that when they DO attack, their attack has a much better chance of success.
Yes, it happens EVERY DAY. And it happens to companies of ALL sizes, in all geographies.
Social hacking, otherwise known as social engineering, is not as automated, obviously, as the typical “bot” attacks that take place via email or other electronic means. They are another piece of the puzzle. Where bot attacks are more likely to be directed at ANYONE AND EVERYONE, social engineering attacks are more likely to be targeted toward specific companies.
- Do you have a product doing well on the market? Foreign hackers might target your company to get the specs so they can build a cheaper knock-off and grab your market share.
- Did you recently score a big investment? You could be targeted for the specific purpose of getting access to your bank accounts.
- Are you in a race to be first to market with a breakthrough offering? Hackers might go after those details to sell them.
- Do you have access to government secrets? Like for Area 51 or a super-soldier program?
- Does your organization partner with another organization that could be a target for hackers? You could be targeted as a “back door” entry to them.
Does this seems crazy to you? Keep in mind that there have been social engineering attacks for all of these reasons, but it could be as simple as a bad actor planting incriminating images on the computer of someone who “wronged” him. If your CEO is suddenly being blackmailed, what does that do to the business?
Social engineering – the social side of cybercrime – can be as harmful to your business as the typical bot-type attacks, if not more. The best way to combat social engineering attacks is by educating your team members. Create policies – and impress upon your team members the importance of sticking to them – that cover scenarios like those I’ve laid out here. No one gets in without X kind of authorization. If anyone calls to “check” on your system, you will call them back at their approved internal phone number. Have an internal culture where people are comfortable asking others for help in knowing if something is legit or not. Teach them.
An educated workforce is always your best defense against cybercrime.