Cybercriminals sometimes try to con employees into giving them the information they need to access businesses’ computer systems or accounts. This is referred to as social engineering. Hackers like to use social engineering attacks because exploiting human behavior is usually easier than hacking security and computer systems.
While social engineering attacks typically occur via email (a.k.a. spear phishing emails), they can also occur over the phone and in person. The cybercriminals often masquerade as employees, but they also might pretend to be suppliers, customers, or even trusted outside authority figures (e.g., firefighters, auditors).
To get into character, cybercriminals usually learn your business’s lingo. When cybercriminals use the terms that employees are accustomed to hearing, the employees are more apt to believe the cybercriminals and do what they ask.
Besides learning the business lingo, cybercriminals sometimes search the Internet for information that can help them in their impersonations. Without realizing it, many people provide a lot of information about their professional and personal lives on LinkedIn, Facebook, and other social media sites.
When discussing social engineering with your employees, stress the importance of being careful about what they post on social media sites. It might become fodder for a sophisticated spear phishing attack. Or, it might provide cybercriminals with the information needed to hack online accounts. For example, if an employee posts pictures and stories about her favorite cat, cybercriminals might try using the cat’s name as a password or the answer to the security question “What is the name of your favorite pet?” With some online accounts, all it takes to reset a password is an email address and the correct answer to a security question. If cybercriminals are able to reset an account’s password, they gain full access to that account.