Picture this: You’re in the lending industry. You get an email from your boss and he says to send one of your accounts a respectably sized loan as it’s gone through approval. As a good employee, you do as you’re told and send off the money through your normal routine of channels. Once the money has been sent and confirmed, you find out it wasn’t your boss but someone who has used an email with only one letter different. The deed is done and the money is gone. What can you do?
Sadly this is no longer an uncommon event. This is usually the work of clever hackers or criminal organizations that target certain companies or individuals. After getting in your email — whether directly through your computer, hacking or even guessing password to the server where your e-mail is stored — they read your email and wait. A carefully formulated scam takes some time, but these evil folks are experts in this field. They have lots of experience and are very adept at trickery.
How can the average person protect themselves? No amount of anti-anything software can keep this away. One term for this exploitation is “social engineering,” i.e. psychological manipulation of people into performing actions or divulging confidential information. It’s the old con game gone digital. It’s been around for a while and will keep rearing its ugly head for the foreseeable future. Longer, probably.
The unfortunate victim in the example above was duped only because the email address and body was extremely close to the typical request. This is what is called pretexting. This is an elaborate lie involving some prior research or setup and the use of this information for pretense to establish legitimacy in the eyes of the target. And it’s only one tool in the big bag of tricks being used these days.
There are also diversions, where the objective is to persuade the person responsible for a legitimate delivery that the item is needed elsewhere. Of course, there’s phishing; you receive an email that appears to come from a legitimate business requesting verification of information. There’s also baiting, which is when you find a CD-ROM or USB flash drive in an obvious location like a bathroom, elevator, sidewalk, parking lot, or just the office floor. It looks like someone just dropped it and instead it has malware on it that could infect your systems. And there’s the even, i.e. quid pro quo, which just means something for something. This is when a criminal calls a company and dials extensions claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem. They will then “help” solve the problem, but in reality, have the user type commands that give the criminal access or launch malware.
There are many more ways evil organizations can gain access to your important data. But it takes diligence for you and everyone involved to keep them at bay. One approach is to train employees how, when, where, and even why sensitive information should be used. Speaking of which, it’s important to be clear about what information is sensitive and evaluating its exposure to social engineering.
Sometimes the simplest measures are the most effective. If a person’s identify can’t be verified, then, per training, an employee should politely refuse to divulge information. Unannounced tests of security protocols work wonders, too. Last, but not least, using Dumpsters or waste bins with locks on them can help, too.
While we can’t defeat every attempt to dupe us, we can sure try. …
Paolo Chlebecek is founder and owner of PaoloTek, which he started in 2003. He loves dogs of all sorts and oddly finds himself driving around town between 2 p.m. and 3 p.m. every weekday. Wave hi when you see him or contact him at Paolo@PaoloTek.Com.