Social engineering attacks are one of the most prevalent cybersecurity risks in the modern world. While the increase in digital communication channels has made it easier than ever for cybercriminals to carry out social engineering schemes, the primary tactic used to defraud victims or steal sensitive data—specifically through impersonating a known or trusted entity—has been around for much of human history.
Here's what you should know about social engineering and how to spot an attack so you can keep your business and employees safe.
What is social engineering?
In a business setting, social engineering attacks often come in the form of the criminal posing as a legitimate, known business associate (e.g., a supplier, customer or executive) and making requests that the victim might reasonably expect to receive from them, said Chris Arehart, SVP and product manager of crime, kidnap and ransom at Chubb. These fraudulent requests may include changing bank accounts for payments or sending an urgent wire to close a key business deal.
[Read more: 3 Security Threats Your Business Should Be Preparing for Now]
In many cases, social engineering also involves the sharing of sensitive personal or company information.
“Social engineering is the manipulation of individuals to not just get money, but also to gather information that someone may not normally share,” explained Eric Breece, director of cybersecurity at Sunrise Banks. “It’s an attempt to get someone to do something that benefits the attacker.”
Common methods for executing social engineering attacks include:
- Phishing: Phishing emails are designed to look as
though they come from a trustworthy source. They’ll usually ask a user
to sign into their account and include links that, when clicked on, will
steal sensitive information. These attacks account for 80% of all
reported security incidents, according to CSO.
- Smishing: Similar to phishing, social engineers will use messaging apps or SMS text messages to bait victims into clicking on malicious links.
- Vishing: Attackers will obtain a user’s phone number to call and ask for information over the phone by posing as a known business associate.
Individuals often get too comfortable, thinking these scams are easy to detect and not something they have to worry about.
Eric Breece, director of cybersecurity at Sunrise Banks
Why does social engineering work?
Social engineering attacks rely on the trusting nature of their victims’ human relationships.
“It is human nature to trust those we work with, from customers and suppliers to other employees as well as our managers,” Arehart told CO—. “This trust is what social engineers exploit and is the key reason why these attacks are so successful.”
Even if an employee is suspicious of a request made by a social engineer, Arehart noted that it is often uncomfortable for employees to “push back on those we expect to work with every day, especially someone in a position of power, like one’s boss.”
Finally, carelessness and human error plays a role in the effectiveness of cyberattacks.
“Individuals often get too comfortable, thinking these scams are easy to detect and not something they have to worry about,” said Breece. “However, social engineering is an ever increasingly sophisticated practice.”
[Read more: Defending Your Business From Cyber Threats]
What to do after a social engineering attack
Training employees on how to spot cyberattacks and requiring multifactor authentication is a good starting point, but relying upon employees to spot errors in an email is insufficient for preventing every social engineering attack, said Arehart. Here’s what to do if you believe your business has been targeted by a social engineer.
Get IT involved
Alert your IT administrators immediately to the threat so they can monitor future incoming emails or phone calls.
Report the incident to the appropriate parties
If you’ve already opened a link or provided any financial information, notify your financial institution and have them recall any active transfers, freeze compromised accounts and monitor for any further suspicious activity. Then immediately file a complaint with the FBI at ic3.gov.
“Reporting to the FBI triggers the Bureau's Recovery Asset Team and the FBI’s assistance in seeking return of the wire transfer,” said Arehart.
If your business has an insurance policy that specifically covers cyberattacks, you will also want to report the incident per your carrier’s instructions, added Arehart.
[Read more: Does Your Small Business Need Cyber Insurance?]
Change account passwords
Log out of any accounts and change passwords that you may have given to an attacker, especially if you have the same password on multiple accounts.
Keep records
Arehart recommended preserving records of the incident, including emails sent and received in their original electronic state.
“Correspondence and forensic information contained in these electronic files helps investigators shed light on the perpetrator(s) and parties responsible for the incident,” Arehart said.
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
Follow us on Instagram for more expert tips & business owners’ stories.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.