Have you started tightening your security practices in the wake of online breaches and fraud schemes? Maybe you’re requiring identification, implementing new procedures and beefing up your hardware and software systems.
But there’s a quick and easy key almost any fraudster can use to completely wipe out almost any security tactic you’ve implemented: social engineering. What is it? Social engineering is the process of using social niceties, online information and just plain luck to get people to do what you want.
Meet Sophie, an information security consultant who gets paid to use social engineering to test companies’ security protocols. In a recent job, Sophie details how she used an employee’s Linkedin and Facebook profile to find out that she volunteered with a charity that supported new moms. When the employee got a call from a random woman claiming to be part of a design team hired to redo their offices, she was skeptical until Sophie, pretending to be a designer, played the busy new-mom card. By the next day, Sophie had an appointment and was welcomed into the well-protected facility with open arms.
We became best buds. I was given complete and unaccompanied access to the facility where I stayed for several hours. I gained network access and stole several thousands of dollars in physical primitives by picking my way through cheap locks.
Sophie eventually makes her way to the office of the executive who hired her, completely dumbfounding him. She explains that the tendency to want to help others is just human nature and a good thing, but it’s easy for thieves to manipulate it for their own purposes:
I’m sure they did have some sort of policy that required visitors to check in showing government issued identification, but they weren’t following it. We also need to post by every computer, phone and door: TRUST, BUT VERIFY. An employee who does their homework can ruin my day.
If you’re trying to implement stricter security measures, remember that social engineering can quickly overcome your best efforts to keep your company safe. Train your employees to dole out their customer service with a healthy dose of skepticism to ensure you keep scammers at bay.