In the fall of 2013, an employee of Fazio Mechanical, a refrigeration vendor serving the Target department store chain, received an email that convinced the employee to open an attached file. The file contained a malware program that spread itself to other Fazio computers and harvested user names and passwords. Eventually the program provided the hackers what they were looking for: credentials to Target’s vendor portal. The hackers used this information and some other tools to gain access to Target’s point-of-sale system, making off with credit card data on 70 million customers.
The hackers were aided by technical shortcomings in both Fazio’s and Target’s IT environments, but it was a bit of social engineering—that initial phishing email to the Fazio employee—that got their foot in the door.
Social Engineering: The Hacker’s Key to Your Kingdom
Hacking into computer systems was once all about obtaining passwords by guessing them, taking advantage of known default system passwords, or trying all possible combinations of characters by brute computing strength until the right one was found. As users and passwords became more sophisticated, hackers turned to the tactic of social engineering, or fooling people into giving up credentials or installing malware. You’ve probably received emails that appear to be from Bank of America, Wells Fargo, or some other provider, containing some variation on “Your account will be closed if you don’t log in with this link and update your information,” with a link that goes to an official-looking website. Simply provide your user name and password, and BAM! Your account suddenly has no money in it, because the hackers took advantage of credentials that you freely gave them.
It was, at one time, easy to spot phishing emails like this. Logos were pixelated or blurry, the text was riddled with spelling and grammatical errors, and a simple check of the link’s URL would show that the target site was not associated with the real-life provider.
Unfortunately, hackers have become more sophisticated, and it’s more difficult to recognize phishing attacks. For example:
- Hackers are starting to use text and graphics from legitimate provider emails to craft their phishing messages, making it harder to spot fake messages.
- They are using URLs that closely resemble a URL that the real provider might use, such as “wellsfargoaccountupdate.com” or “bankofarnerica.com” (did you catch it? It has an “r” and an “n” instead of an “m”).
- They are targeting specific businesses by posing as trusted vendors or long-time customers.
If that weren’t enough, hackers are going beyond email in their social engineering efforts:
- Smishing (for “SMS phishing”) is conducted using a text message with a link, like those in phishing emails, and content to manipulate the recipient into tapping the link.
- Social networking tools, such as Facebook Messenger, are used to dupe users into clicking dangerous links, providing account credentials, and installing adware and other malware.
Hackers are getting results from these efforts because people place greater trust in text messaging and social networking than they do email.
Ways to Protect Yourself
Social engineering attacks are extremely difficult to defend against because the problem is not a technical one, it’s a human one. Social engineering, by definition, exploits our emotional responses: We want to help this customer, we want to follow the instructions from the CEO, we don’t want our bank or email accounts closed. Thus, technical solutions can protect you only so much. The key is a campaign of continuous education for your employees to become naturally suspicious. Doing so involves a two-pronged approach:
- Policy: Every company should have a policy requiring employees to report suspected phishing emails or other social engineering attacks, whether by email, phone, or some other means. The company should also implement an easy way to report these attacks. Users should be regularly reminded of both the policy and the procedure. And employees should never use company computers to access their personal social networking accounts.
- Training: Information security training cannot be merely a segment in the new hire orientation, never to be brought up again. It should be, at a minimum, an annual requirement, and the content should be updated to reflect the latest hacking tactics.
There are technical solutions that can help in these areas. Email systems can be configured to warn users when emails originate from outside the organization. Reporting functionality can be added to email clients to make it easy to report suspicious emails. Some companies test their employees by sending out fake phishing emails and seeing who takes the bait. Still, these are only aids; they can’t automatically shield your organization from all attacks.
Social engineering is a people problem, and requires people solutions. This means constant vigilance, education, and training that evolve to keep up with the hackers.