Social Engineering in the Workplace

BLOG

Social Engineering in the Workplace

October 21, 2021

One thing I will mention right away is that no matter how much you invest into your company’s security – employees are the biggest threat to your business right now. You can protect your network with all the latest infrastructure and equip your office with top-end physical security – but all it takes is one mistake from staff to render your security measures… well… almost pointless!

In this post I’ll talk about Social Engineering. What is it?

In simple terms, Social Engineering is where you attack the security of a system through people that use or operate the system, rather than the actual system itself. Let me explain…

Let’s say you had to try and get into the Grammy Awards but you weren’t on the guest list. What would you do? There are many approaches you could take…

You could hack the database that holds the guest list, and add your name onto there. That way, you’ll be able to walk in without any problems.
You could turn up with a gun and brute force your way in.
You could turn up with a fake ID and impersonate somebody already on the guest list.
You could bribe the staff on the door.

These are all ‘full-on’ approaches, subverting the systems or personnel put in place to protect the event.

Social Engineering approaches are a little more subtle and could include:

Phoning the receptionist in charge of the guest list and convincing them that you’re meant to be on it.
Pretending to be working for one of the many suppliers and making your way in that way.
Walking up to the door with a clipboard and a helmet to carry out an overdue ‘fire safety inspection’

Now, if you had to try and Social Engineer your way into your own corporate office, what could you do? Here are some ideas as to what you could try…

“I’m here for an interview” (wear a smart suit)
“I’m here to read the meter” (bring a handheld computer)
“I’m here to fix the air-conditioning” (just disable the compressors on a hot day)
“I’ve been asked to pick up Sally’s laptop” (use Linked In to find the correct name)
“The Landlord sent me here” (just look for the estate agent’s board and call them for the details)

Hopefully you now realise that there are many ways we can be socially engineered at work. Some attacks are more common than others, and can often be ‘combined’ into one.

Common Social Engineering attacks we see nowadays are phishing, pretexting, tailgating (AKA. Piggybacking) and baiting. All have been around for a long, long time. However they have evolved greatly over the years.

>> How do we protect our site crawling from bad bots? <<

More on phishing…

There are many types of phishing. Most commonly, it’s when an attacker sends a fake email, claiming to be from somewhere legitimate, to get you to reveal sensitive information. There’s more…

Spear Phishing is almost identical to phishing, however, it’s more targeted and will be tailored to the recipients in order to get them to comply with the attacker. For example, an email sent strictly to your finance team may contain a demand related to invoicing. This is completely different to standard phishing, where the attacker doesn’t care who receives the email – they are just trying to send the message to as many people as they can. This is why you may receive dodgy looking emails from companies you have never had an account with – because some people receiving those emails will actually have an account with them and will want to investigate.

Another type of phishing attack that we need to be aware of is whaling. Whaling is a phishing technique aimed at Senior Executives and is also known as CEO fraud. This is another reason why it’s important for everybody in your company to be up to date on the latest threats – we are all an attack vector, and all hold the golden key that the ‘bad guys’ are looking for!

It’s important to know that these threats don’t just come over email. We can be targeted via text – Smishing. Also over the phone – known as Vishing. We’re really not safe anywhere… In summary, here’s some of what you need to look out for, and are techniques attackers will use in these messages.

Creating a sense of urgency
Threats (if you don’t do this, your systems will go down)
Offering to reimburse (if you do this for me, I’ll do this for you)
Impersonating legitimate staff (phone or message them rather than hitting reply if you are not sure)
Attachments in the email, or any links
Any demands. Remember, the bad guys want you to do something for them. If there is a demand, be cautious.

USB Drives

Something that a surprising amount of people aren’t aware of is rogue USB sticks. These can be left around anywhere… Shopping centre, Parking lot, The train to work – the list goes on.

The hardest part about this attack is that as humans, we’re curious by nature. We really want to know what’s on that USB drive… But that’s all it takes for a successful attack. If you see a USB stick left around, you guessed it, don’t plug it in – full stop. Attackers can program executable files that run in the background without you noticing. So not only do you compromise the security of your business, but you have no idea that it’s happened (until hell breaks loose, of course!)

USB sticks in general pose a massive risk to you and your company, hence why you should have a blanket USB ban in place across your business. Some studies suggest that at least half of people plug in USB drives they find…

Tailgating

Tailgating is where an attacker gains access to an unauthorized area by following someone in who is authorized. This can be done with or without the other person(s) knowledge. How do we avoid it? Simple.

Whenever someone is visiting the office, ensure that we are expecting them.
Always ask for identification to prove the visitor is who they are claiming to be – name and company. And ensure they are signed in to your visitor book if your company uses one (you should be!)
Always be aware of your surroundings. Could someone follow you in? Does your office door take some time to shut after being opened? All it takes is a couple of seconds…
Trust your instincts! Speak up if anyone doesn’t look right.

>> How to perform an effective root cause analysis at MishiPay <<

You let the bad guys in… What now?

Always, always report it!

Sometimes incidents do occur, and it is vital we take corrective actions to ensure they do not repeat in future. It is your duty as an employee to inform your IT team of any incidents. The sooner they are made aware, the sooner they can take action. Ideally, incidents should be reported before they come to light (i.e. as an event). Think of it like reporting a driver for speeding before it turns into a crash.

Bottom line – report anything that doesn’t look right.

It’s important to remember that if an attacker does manage to break in (whether this be physical, or onto the corporate network) they only have access to what we give them. For example, if someone successfully tailgates their way into our office, we can reduce the amount of sensitive information available to them by ensuring our laptops are locked and sensitive documents are cleared from our desks and not left on display.