What are social engineering techniques that employees should know?
An often-overlooked form of social engineering attack could easily be taking place in your company right now.
Social engineering is the manipulation of people into performing actions or divulging confidential information. Commonly with hackers and cybercriminals, social engineering is a technique that is more commonly useful than you think. And while it may not always be obvious, social engineering can happen in your workplace. It happens a lot more often than you think.
Social Engineering in the Workplace: An Example
Let’s take a look at an example of how this could happen. Imagine for a moment that you are the IT Manager for a large corporation, and you have just recently hired a new employee named John Smith. John Smith has been working for you for about two months now, and you have noticed that he has been acting strangely. For instance, likely distracted or nervous—during this time. This morning, John comes to work and approaches you with some startling information; He had found out that he was being fired from his job today.
An unknown individual contacts him via email. Moreover, and told him that he would be off work on Monday due to performance issues with his job duties. John asks if he could have time to speak with HR before the termination; so he went to their office to discuss what had happened. The HR told him that he had never received an email from anyone regarding his termination; and that they didn’t know anything about his sudden firing. The HR then instructs the HR to return to work and act as though nothing had happened; they would look into the matter further.
What just happened? Was this an actual event? Or was it a cleverly crafted social engineering stunt pulled by someone with malicious intentions?
That depends on who you believe, but I suspect most people would agree that it is more likely the latter than the former. This fictitious situation illustrates how easy it can be to use social engineering techniques in the workplace without someone ever realizing what’s going on.
How Social Engineering Works in the Workplace
So let’s take a moment to explore how social engineering works in the workplace: The attacker creates or obtains an email address similar to the one used by an employee or HR manager within your organization. They then send an email from this fake email address to John Smith (the unsuspecting employee) stating that he has violated company policy and will be fired on Monday.
This email should appear as though it is coming from an employee at your organization, perhaps even an HR rep or manager. The attacker successfully tricks John Smith into thinking that he has been fired; and he likely believes that this information is accurate because of where the email originated from.
Once you have gained this level of access to an employee, you can continue to use social engineering to trick them into providing information that could benefit you in a much bigger way. For instance, imagine the attacker from the previous example having access to a server within your company that stores sensitive data, such as customer credit card information. John Smith (the employee) may now be more willing to provide passwords for accessing sensitive data after he was “fired” by your company without any prior warning.