Social Engineering: How Criminals Weaponize Your Employees

Cybercriminals are continually looking for ways to exploit unsuspecting businesses for monetary gain.

The ability of these threat actors to adapt to evolving mitigation measures makes thwarting their efforts to infiltrate secure networks an increasingly difficult task. While the general public is beginning to catch on to threats like phishing, ransomware, and spyware, cybercriminals are turning to a tactic known as “social engineering” to dupe employees into divulging sensitive company data. For business owners, the best defenses against social engineering tactics are a well-informed staff and a trusted IT partner. Below, we’ll explain how cybercriminals target and manipulate junior employees into providing sensitive company information through sophisticated social engineering tactics. We will also recommend several steps business leaders should take to protect their companies from lasting financial harm. First, however, let’s make sure everyone has a firm grasp on how social engineering works. 

Social Engineering Explained

As the term suggests, social engineering describes a method of cybercrime that relies heavily on the manipulation of social behaviors and interpersonal relationships to achieve some sort of direct or indirect monetary gain. Rather than relying on technical prowess to find software vulnerabilities, social engineers will quite literally come through the front door—oftentimes posing as IT professionals in branded clothing. They may also misrepresent themselves as reputable network specialists in the digital space, cajoling naive employees into divulging their password or other sensitive company information. Another common social engineering tactic is remarkably simple yet effective. Cybercriminals will target a company whose leadership is plainly listed on its website and then create a spoof email address in the name of one of those business leaders—usually senior management types who aren’t too far up the food chain to raise any eyebrows. They will then send an email to a junior employee making a request for sensitive information. It could be a secure password, banking credentials, proprietary information, or intellectual property—really anything that could provide leverage or financial value to the thief. 

How Does Social Engineering Differ from Other Cyberattacks?

The principal difference between social engineers and other cybercriminals is that they aim to manipulate individuals, rather than software vulnerabilities, to achieve their ends. Social engineers find it far easier to dupe, bribe, or blackmail a person into giving them what they want than to exploit weaknesses in network security infrastructures.  When businesses are on the receiving end of social engineering attacks, their employees effectively become attack vectors—each serving as a potential target or financial liability. While social engineering attacks come in a variety of forms, some common examples include:

• Baiting: Sending a link or leaving behind a USB containing malicious code
• Contact spamming: Impersonating a trusted contact to steal sensitive data
• Phishing: Impersonating a legitimate institution to steal sensitive data 
• Pretexting: Legitimizing a deceptive identity through long-term communication
• Quid pro quo: Offering something of value in exchange for sensitive data
• Tailgating: Following credentialed employee into a restricted area

While many of the tactics above can be used in any number of cybercriminal exploits, when used to perform a social engineering attack, they usually involve considerable contact or exposure on the part of the threat actor. A social engineer may groom an employee for days or weeks before striking. He or she may even be so bold as to directly interact with employees, building their trust over time. Nobody expects a criminal to plainly expose themselves, and social engineers use that to their advantage. 

The Social Engineer’s Favorite Target

As mentioned above, social engineers love to take advantage of junior employees who might be less inclined to ask questions when directed to perform a specific action or execute a specific request from a more senior manager. New staff are especially vulnerable, as there is naturally an exchange of sensitive personal information during the onboarding process.  Imagine you are a new recruit who has just landed your dream job after an exhaustive job search. On your first day, you receive an email asking you to confirm your network credentials with the “IT manager” so they can make sure you have access to everything you need to get started. Because your emotions are running high, you don’t think twice about sharing your username and password via email.  The bad news is that you effectively just handed a social engineer the keys to the company car. The good news is that the error wasn’t your fault. On the contrary, the blame lies with the business owner who maintained lax information security standards and failed to adequately train the new employee to recognize and appropriately respond to such threats.

How Businesses Can Prevent Social Engineering Attacks

With regard to preventing social engineering attacks, the first step every business leader should take is to develop an extensive information security training protocol for new hires. Leading continuing employee development sessions with an emphasis on cybersecurity best practices will also go a long way in staving off the most preventable of attacks. The continued learned piece is especially important since the tactics these threat actors use tend to evolve in tandem with new mitigation measures. Far from a comprehensive list, the below recommendations should make for a good starting point for businesses with no information security standards. Make sure all employees within your organization are empowered to:

• Slow down. Social engineers count on employees to make hasty decisions in moments of heightened stress. Make sure your employees think twice before opening suspicious email attachments or transmitting sensitive company data over the internet.
• Check the source. Employees should ask themselves if it is out of the ordinary for the sender of a particular email to correspond with someone in their position. The president of a company, for example, is unlikely to directly communicate with entry-level employees. Junior employees should always double-check the sender’s email address before responding.
• Set spam filters to “high.” Most email software comes preloaded with filters designed to weed out suspicious or fraudulent correspondence. Maxing out these settings will provide the greatest front-line protection against opening harmful email communications. Just make sure to periodically check your spam folder for legitimate messages that may have been misfiled.
• Install antivirus software. Having reputable antivirus software installed on every machine within your network should serve as a baseline. Remember, your software is only as good as its latest patch. If your firewall is out-of-date, cybercriminals could easily exploit its vulnerabilities.

For more tips on keeping your network secure and empowering your employees to maintain cybersecurity best practices, check out our recent article, Top 7 Cybersecurity Best Practices for Small Businesses. While it’s focused on SMBs, the post should prove valuable for businesses of every size. 

The Ultimate Defense Against Social Engineering

Apart from training his or her staff on the dangers of social engineering attacks, the best choice a business owner can make in protecting their company from lasting financial damage is to partner with a trusted IT service provider with the ability to implement and manage the full spectrum of modern network security protocols required to keep businesses safe. At Nicolet Tech, we handle every aspect of our clients’ network security infrastructure. Whether your business is in need of on-demand network assistance or long-term managed IT services, we have the skills and expertise to get your business up and running in no time. Click the links below to get an in-depth look at our full menu of IT services.

• Backup and Recovery
• Cloud Services
• Cybersecurity
• Data Management
• Disaster Planning and Recovery
• Email and Spam Administration
• Hardware Sales and Support
• Managed IT Services
• Network Management
• Network Setup and Maintenance
• Responsive Support
• Software Sales and Support
• VoIP and Mobile Services

Business leaders are also encouraged to partner with an IT service provider that values building strong relationships with clients. Ideally, you want to get to know the IT manager in charge of your network security. Our clients speak to the same tech every time, guaranteed. Unlike at other IT companies, our techs can also answer the phone.  And because we know security issues don’t always develop during regular business hours, our team is more than happy to accommodate your busy schedule—whether that means working nights, weekends, or holidays. For business leaders in search of fast, friendly, and reliable IT service and support, don’t hesitate to contact the experienced network specialists at Nicolet Tech.