Dec 01, 2017

Fraud Engineering

Take precautions to prevent social engineering

Preventing social engineering

Social engineering is the act of taking advantage of human behavior to commit a crime. Social engineering criminals can gain access to buildings, computer systems and data simply by exploiting the weakest link in a company’s security system: the employees.

Social engineering criminals do not need to have expert knowledge of your company’s computer network to break into your system. It just takes one employee allowing the social engineering criminal access to the building, giving out a password or responding to a social engineering criminal’s fraudulent email with sensitive information to compromise your network’s security.

Social Engineering Tactics

If you can identify the ways in which a social engineer might try to break into your business, you can stop a threat before it begins.

Social engineering criminals are masters at blending in. They research their targets for weeks or even months, learning the smallest details to gain entry into a company. They often are sweet-talkers, and their body language leads others to believe they belong.

Social engineering criminals often work in pairs. For example, two social engineering criminals posing as fire inspectors gain access and split up to conduct a “fire inspection.” Once in the building, they can steal documents and place key loggers on computers to access the systems later. However, if you have the “fire inspectors” sign a visitor log and send a maintenance employee into the building with them, the social engineering crime can be prevented.

How to Prevent Social Engineering

Being the victim of a social engineering scam can have a range of effects on your business, including damaged reputation, lost sales, humiliation, lower staff morale and loss of your customer base.

These effects take time and money to reverse. Because humans are naturally trusting, it can be difficult to identify when we are being socially engineered.

However, there are several ways to prevent social engineering crimes from potentially ruining your business.

Policies that limit or eliminate the amount of sensitive information made available to your employees, customers and the general public should be in place. Never allow employees to give out passwords or credit card numbers over the phone. If this information is needed by another employee, meet face to face.

Make sure employees never write down their passwords on paper. A piece of paper with important passwords on it can be swiped quickly by a social engineer. Make sure your employees’ computer passwords expire after a set amount of time, preferably three months. Set guidelines for new password creation, but keep in mind that complex passwords are difficult to remember. If passwords are reset too frequently or are too hard to remember, employees will end up creating passwords that can be guessed easily.

Consider installing security cameras around your building. Make sure to keep an eye on areas where security is lax, such as in a smoking area or near an unguarded back door. All visitors should be greeted, present identification and fill out information in a company visitor log.

Prohibit employees from posting work-related information on social media websites. Often, social engineers spend time learning about employees’ habits and tendencies before making a move. A simple post about being out of the office for a short length of time could be all a social engineer needs to steal sensitive information. Let employees know that posting seemingly harmless information on the internet, such as a telephone number or address, could be the final piece of a social engineer’s plan of attack.

Have employees wear badges with their name and picture on them, and have employees swipe their badges to gain access to different areas of the building. Let your employees know that it is not acceptable to allow employees they do not recognize into the building because they “forgot their badge.” This is a common technique social engineers use to get into buildings.

Subject your company to penetration testing. Hire an outside agency to act as a social engineer and see how your employees respond. If the test is successful, your employees will be embarrassed. That can lead to extra motivation to be vigilant of social engineers.

Social engineering is a tactic criminals use to steal a company’s assets. They target human weakness by physically attempting to enter a company to steal sensitive information or sending fraudulent emails that look and read as if they are official, asking for sensitive information. 

About the author

Leon White, CSMP, LCR, is safety and risk control manager for Frost Insurance Agency. White can be reached at [email protected] or 210.220.6437.