How Social Engineering can steal your data

There are many articles about how data breaches occur, and how technology can be used to stop these attacks. But what about the attacks with elements in the real, physical world, where the network is attacked indirectly by malicious groups attempting to trick users rather than use brute force to break into a network? These types of attacks fall under the umbrella of social engineering, and it is incredibly important to any security plan that company employees in all branches are made aware of these threats.

As the name ‘Social Engineering’ implies, many of these attacks originate via Social Media channels such as LinkedIn or Facebook. This is usually done by attackers creating Social Media accounts and linking/friending/etc. to build a network to attempt to gather information on prospective targets, or to give the account legitimacy even though it doesn’t belong to a ‘real’ person. From here, the attacker can either attempt to ruin the brand by launching crazy diatribes about the company, or attempt to break-in in the traditional sense by using other tactics to get malware in place within their desired targets. All of this from a Social Media account which can be acquired for free, and may even appear legitimate at first glance - one certainly can’t blame a sales agent for connecting to someone who met them at a networking event, and wishes to discuss business.

Phishing, or the attempt to get malware in place on a user’s PC, is one of the biggest types of attacks that will come from one of these fake accounts - these fake accounts can post updates that link to malware, send direct messages with the same links, or even email the user in question outside of the social media network! Phishing emails always have either a link or download in them, and they usually have a case to get an employee’s guard down, such as informing them that they have won a prize of sorts or that a charity they are involved with needs help on a specific matter. Once the bait is clicked it either downloads malware or leads to a form that appears to be legitimate that will copy the user’s information and will be used by the attacker later to access the network. In either case, the damage is done and your network is compromised - all appearing as legitimate traffic that very few firewalls would be able to catch.

Of course, some attacks happen 100% in the physical world. Visual hacking is the act of watching an employee login to an application or company PC, and recording their credentials as they type - no tech involved, or possibly just a smartphone to record the keys pressed in an easier fashion. Attacks can also come from upset or disgruntled employees who decide to hurt the company by stealing data with USB drives and using it to assist competitors or to paint the company in a negative light. The massive Sony hack of 2014 is thought to have started from this type of attack. Finally, social engineering might come from a phone call, with an attacker feigning to be a part of the IT department and requesting to aid the employee with some IT issues they might be experiencing (Many employees complain about workstation performance, so almost all have some ‘IT issue’ that could be exploited) while stealing passwords.

The best way to fight all of these types of attacks is through education. Employees should be careful with the people they connect with on Social Media, and they should be cautious with any links or downloads they click on the internet unless they are 100% certain that they are legitimate. They shouldn't provide their login credentials to anyone, and it is imperative that they are aware of their surroundings when working in a mobile environment. They should also be aware of company policies on data breaches to deter bad behavior if they become upset with the organization - this is the hardest to prevent, but it at least provides recourse in the event the employee is caught trying to do bad things to the network.