Social engineering is the process of manipulating human emotions to generate a reflex response. This reflex response usually causes someone to overlook obvious clues that they’re being scammed, which is how companies end up with data be held for ransom, viruses attacking their systems, or emails being spammed.

You’ve likely heard of at least one of these hacks:

So how does this happen to big companies with huge security protocols?

Social engineering works for a variety of reasons based on Dr. Robert Cialdini’s 6 factors of influence:

  • It preys on people’s desire to inherently trust others
  • It preys on a sense of urgency
  • It preys on the desire to return a favor
  • It leverages the power of authority to create compliance
  • It uses personal information about those within the company (or the company itself) to make requests more convincing
  • It preys on the desire to please others and be liked

To further their cause, social engineers often take advantage of breaking news, major events, pop culture happenings, or holidays to tap into the automatic response that generates their desired results.

How to spot social engineering:

Social engineers are studying your company and employees long before you even know they exist. They have the upper hand on you, especially if you’ve neglecting training your teams. There are a few tell-tale signs of a ploy that you can share with your employees now until you’ve completed training:

  1. Legitimate companies won’t request personal information via email
  2. Quick clicks to verify an account, password, etc. that come out of the blue
  3. Password update emails from accounts where you didn’t request a password reset
  4. Are you in the office?” There’s an underlying sense of urgency placed in this sentence, and it’s something we hear a lot from people who’ve been targeted. If they’re looking for you, they can call or come to your desk
  5. Look for spelling errors. They’re often subtle, but they’re a potential red flag
  6. Tech support outreach. These people are swamped and busy. They’re not going to call you out of the blue. Remember, you can always hang up, find the helpline for the provider you use, call them, and verify if it’s a legitimate request. Is it annoying? Yeah, but better safe than subject to a hacker’s whim.
  7. Check the URL! We talked about this in our phishing email blogs (1, 2) but a simple 2-second hover can prevent a lot of trouble

How to combat social engineering:

Train your employees
The easiest way for any hacker to get into your business is through your people. No matter how smart your employees are, intelligence must be combined with cybersecurity savvy, and this happens through training. Hackers are cunningly subtle in their methods. Your team just needs to train their eyes to spot the tells.

Add extra controls
This is simple! Train your employees to verify in person or over the phone when unexpected requests for access or finances come through. Adding simple verification steps will prevent a lot of easily avoidable mistakes.

Stay relevant
Trends in hacking shift almost as often as a new iPhone gets released. Training should happen on a regular schedule to ensure that the information taught is being practiced and retained.

Consult a Managed IT provider
This team should have a deep pool of resources that can provide guidance, training to your teams, testing to see where more training is needed, and a wealth of experience and expertise for how to thwart potential cyberattacks. Here are some crucial questions to ask when vetting potential providers.

Social engineering works because it preys on human emotions and people’s tendency to react before thinking. As with many other hacktics, the best way to prevent is to train your people. Check out our other resources that will help get your business squared up to fend off smart hackers:

We want to know how your company prepares its teams for cybersecurity attacks. Chat with us on social!

Facebook
Twitter
LinkedIn

Subscribe to our blog