We hear about ransomware schemes all the time, from the Colonial Pipeline attack to personal PC breaches[1]. These attacks involve an unauthorized party slipping into a secure system and locking users out of their data. Imagine that you stroll into the office one day and can’t get to work until your company pulls together thousands of dollars. The popular image of a hacker prying their way into a system involves rapidly striking a keyboard and slipping in through a digital backdoor. The truth, however, is often much more clever and sophisticated.
Social Engineering Basics
Social engineering takes the digital security fight offline. Hackers operate similarly to con artists. They take time to research their targets. Social media accounts are combed through for hints. They compile employment rosters, gather contact information, and learn everything they can about a company’s standard operating procedure[2].
Social engineering has become an intricate process these days. Hackers have the opportunity to falsify credibility in ways we haven’t seen in the past. The ability to “spoof” a phone number is the ability to make it seem like they’re calling from a phone number that belongs to another person or organization. Spoofing is a powerful tool in the hacker’s kit. By spoofing the right number, they can convincingly pose as the representative of a client, a colleague in a distant department, or authority figures like the police or government officials[3].
Many social engineering tactics rely on following breadcrumbs until they can dig up login credentials, but a majority of them leverage fear and urgency in their information gathering excursions. These attempts to get information out of people can come in the form of false subpoenas, investigative claims, or bank phone calls.
Businesses that deal in online spaces need to be particularly careful when it comes to social engineering. If your cybersecurity is robust and your digital hygiene is pristine, social engineering attacks may be the final opening in your armor.
Protect Your Secrets
Social media posts about work may, in most cases, be harmless, but with enough employees making enough posts about privileged information will lay bare the secrets of a workplace. Tweets complaining about the email services or storage solutions can turn into ammunition for a clever hacker. Photos of office spaces can be a peek into the hardware and internet infrastructure of an office, giving an innovative way in for the hackers. Workplace policies that prohibit social media posts about internal processes go a long way when it comes to preventing hacking attempts.
If your business involves exchanging personal information with clients via the phone or email, social engineers will, with time, work out who those clients are. Once a social engineer works out who your common points of contact are, they will often opt to pose as tertiary collaborators. With a handful of details, a hacker can create a convincing profile of a person that never existed. Be wary at work when a “new employee” calls for information your clients already have.
Disengage and Verify
When phone calls come from a number you recognize, but the caller’s behavior seems incongruent, take a minute to gather information of your own. If the police call and they’re demanding login information to “investigate a case,” gather information of your own before handing anything over. Badge numbers, and officer names are pieces of information you’re entitled to. Ask to call back and contact the police on your own. Contacting the organization a spoofed number claims to be from on your own is one of the best ways to verify the legitimacy of a call or text message. Bank scams and IRS fraud will similarly fall apart under his degree of scrutiny. This also works to break apart social engineering attempts when the culprit poses as a representative of your clients. Any request for sensitive information should be verified ahead of compliance.
Practice Password Security
If a successful social engineering attack happens in your workplace, a diverse pool of passwords will protect the office from widespread damage. Successful data breaches thrive when a single password grants access to more than one security system. Diversity in passwords will save you a ton of time and headache in the event something goes work. We also recommend never storing a password [4] in a document on your computer. If a hacker gets access to your machine and finds that, then your security breach’s damage will quickly spill out onto other corners.
Decentralize Your Workplace
The end goal of any social engineering is to steal private information or otherwise disrupt a business’s ability to continue work without paying a ransom. Decentralized storage is, by far, one of the best ways to keep this from happening altogether. Data backups stored offsite in decentralized servers are going to be secure in the face of a data breach in the workplace.
Let AXEL Help
AXEL is a decentralized storage solution for all of your storage and file-sharing needs.
You can try AXEL Go Premium with all features unlocked free for 14 days. Sign up today and see how AXEL Go can improve your workflow and supplement your organization’s cybersecurity.
References
[1] Touro College. “The 10 Biggest Ransomware Attacks of 2021.” Touro College Illinois. Touro College, November 12, 2021. https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
[2] Kaspersky. “What Is Social Engineering?” usa.kaspersky.com, March 9, 2022. https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering
[3] 29, Ray March, JamminJ March 29, The Sunshine State March 29, Gary March 29, Hal March 29, Ferdinand March 29, Nope March 31, et al. “Hackers Gaining Power of Subpoena via Fake ‘Emergency Data Requests.’” Krebs on Security, March 29, 2022. https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/
[4] “Password Safety.” Technology Safety. Accessed April 27, 2022. https://www.techsafety.org/passwordincreasesecurity