‘The Office’ is every cultured millennial’s favorite show, and we’ll never get tired of sitting in silent, painful cringe whenever Michael Scott is on camera. However, the award-winning show can also help us understand some cybersecurity related concepts, such as social engineering.
What is Social Engineering?
Simply put, social engineering is a broad term for a set of attack techniques that a malicious actor (we’ll just refer to them as “attacker” throughout this article) can use to convince people to divulge sensitive information using psychological or emotional manipulation. With the information they glean, the attacker can then go on to further compromise a system or organization.
Examples of Social Engineering
Some common examples you may have seen or heard of include:
- Someone calling you and pretending to be from IT and needing your password to perform some sort of task.
Warning
Please make sure you do NOT share your password with anyone (this includes IT)
- Someone trying to get access through a secured door by coming in behind someone without swiping their badge or key fob (this is also known as “tailgating”)
- There are various ways someone can try to tailgate, a common method would be to have their hands full of things (e.g., cups of coffee, food delivery, folders and paperwork, etc.) so that the person who badged in before them would be polite enough to just hold the door open for them.
Note
We’re not saying to be impolite! But, every member of an organization is responsible for its security.
A potential way to still be polite and assist the person while ensuring security measures are followed would be to offer to hold something for them so that they can then reach their badge or key fob in order to properly badge in and gain authorized access to the restricted area.
- There are various ways someone can try to tailgate, a common method would be to have their hands full of things (e.g., cups of coffee, food delivery, folders and paperwork, etc.) so that the person who badged in before them would be polite enough to just hold the door open for them.
“I’d Never Fall For That”
It’s easy to hear some of these attacks and think that we’d never be able to be fooled by a social engineering attack.
While we aren’t judging your intelligence, we can’t underestimate our attacker’s intelligence and/or determination.
The scene below is a comical example of just how convincing someone conducting a social engineering attack can be, and just how far they might be able to go to trick or convince you that they are who they say they are.
The Scene
Takeaways
While this scene isn’t depicting an actual social engineering attack, it is showing how convincing an attacker can be when armed with the right information.
In the scene, Dwight is being tricked by Jim, Pam, and their friend Steve by trying to convince Dwight that Steve is actually Jim.
The ways this scene shows the effectiveness of social engineering are:
- With the right information, an attacker can be very convincing.
- Sometimes, an attacker can get their hands on insider information and use it to appear more convincing.
-
- This might be due to the attacker having additional help on the inside (Pam and Jim in this scene). This process of current employees or insiders helping an attacker or trying to hurt their organization is also known as “Insider Risk” (we’ll do another article on that another time!)
- This insider information can sometimes also come from information leaked in a data breach. If you’re curious about whether your org has been exposed to a data breach, or simply want to gain a better understanding of your org’s security risk, sign up for our free Human Risk Report!
- Sometimes, even when you ask the right questions and do what you can to verify what an attacker is saying, they might still succeed.
How Do We Defend Against This?
While there aren’t any “10 Easy Steps to Thwart Social Engineers” guides that apply to every scenario, there are a few practical things we can all do to ensure that we are doing everything we can to do our part as part of the security of our organizations:
Always verify information
While this sounds like a no-brainer, it’s still a valid reminder! If you get an email from the CEO asking you to transfer funds to a bank account, verify with them via a channel other than the one you received the request from (phone call, text message, video call, etc.) to be sure that the request is actually coming from the person.
Take your time
A lot of times, the way that attackers can get us all mixed up is by adding a sense of urgency to their request. Something like “Your Social Security Number will be deactivated unless you sign in and pay” or “This is the CEO, I need you to transfer funds to this account in order to close an extremely important business deal” can make you feel like you must act quickly and throw caution to the wind to ensure the request is met.
Give yourself the time and space to be able to think about the request clearly and critically. Ask yourself some questions like:
- Would the CEO really ask me to transfer money to a bank account?
- Is this notice about my SSN getting disabled actually coming from the IRS?
- Why would IT need my password to perform updates on my computer?
Refer to your policies
While this one may not be something we think about, it is worth double-checking to see if your organization already has a documented policy or procedure on how certain tasks are to be carried out and/or authorized.
We know that company policies aren’t always the most entertaining or interesting pieces of literature to read through, but they are usually crafted by your leaders, security teams, or other parts of the organization that provide specialized insight into the specific policy and its contents.
If your company currently doesn’t have a policy covering this, we can certainly help! Reach out to us on our contact page to learn more about how you can help cover your business’ policy blind spots.
Become a security-aware individual
At the end of the day, you will have to make a judgement call when presented with a social engineering attack. The more educated and security-aware you are, the more prepared you are for these attacks, as well as many others. Congratulations, you’re already becoming more security-aware just by reading this article!
Many organizations also have some kind of security and awareness training (SAT) programs in place that ensures its team members are constantly updated and prepared. SAT programs can also help create an culture of security-minded team members. If your organization doesn’t currently have a SAT program, we can help with that too! Check out our Human Risk Management platform.
If you’re still not sure, ask for help
There’s no shame in double-checking that your thought process when evaluating a request you’ve been given is sound! Often times, there’s strength in numbers. “Phoning a friend” can often times be just what we need: a “fresh set of eyes” to evaluate the situation without any additional bias or context. If you ever want to pick our brains and whatnot, we’ll always be free to just reach out to as well.