What is Social Engineering? (Part 1)

This week, another one of our clients fell victim to Social Engineering. An employee received an email to make a change in another employee’s payroll deposit bank account that went undetected for two months. The business owner had a clearly written policy to never accept written instructions for changes in bank account information. Yet the employee made the change because she couldn't reach the employee requesting the change. Our client spent hours filing claims, lost sleep from the horror and frustration of the situation, and spent thousands of dollars to make her employee whole.  It’s time to educate yourself on Social Engineering so this doesn’t happen to you.

Despite the name, Social Engineering is not a way to gain followers on your social media accounts. On the contrary, the phenomenon is a cybersecurity attack that relies heavily on manipulating human behavior to disclose sensitive data. Desired data often includes credentials, granting access to personal devices, obtaining passwords, and bank information.  

There are several methods of social engineering, and you will recognize many examples in your own email account. For the purposes of this blog, let's focus on and explain the most common ones for small businesses. The prominent social engineering campaigns aimed at businesses are: 

Business Email Compromise (BEC)

When it comes to Business Email Compromise, the hacker impersonates a decision maker, vendor, or customer via email and requests subordinates perform transactions such as outgoing wire transfers, change payment details, and bank information. Unlike other forms of social engineering, BEC does not use malicious links or malware, instead, they rely on human error. The latter is significantly harder to manage and avoid. 

Examples of BEC:   

1. Hackers impersonate a known vendor and request payments be made to their new bank account. The company becomes aware when the actual vendor suspends service for non-payment or inquires about payment status. 
2. An email is sent to human resources asking by a hacker impersonating an employee. The request normally surrounds a change in banking relative to their direct deposit. 

Whaling

Whaling relies on personal communication to gain access to a device. The difference is that whaling attacks tend to be personalized and target one person, typically a high-level executive. A whaling attack requires a substantial amount of research on the targeted individual. These types of attacks normally result in large payoffs. 

Examples of Whaling: 

1. A hacker requests that the target--normally a busy high-level executive--to make a high-pressure, urgent decision like initiating an emergency wire transfer ahead of an important client meeting. The wire transfer then goes to the hacker account. Once the funds are received, the account is closed eliminating the means to get the funds back. 
2.  A request is made to provide payroll information about current or past employees.  

Phishing

This is the most common type of social engineering. Hackers leverage email, telephone, texts, and social media to entice users to click on a malicious link. Once done, the link downloads infected files or reveals personal information such as passwords and account numbers. Alternatively, the device is normally rendered unusable and will only be returned to “normal” once payment is made via cryptocurrency. 

Examples of Phishing:  

1. An email arrives from a known sender with a link to a Google document for the user to click and open. Once the link is engaged, it takes the user to a nearly identical version of Gmail’s login page. Inadvertently. access is granted to the user's Google account and likely personal information. 
2. A message is sent indicating there has been “suspicious activity” and the user is asked to sign into Microsoft, PayPal, or their bank account. A link is provided to the institution and by signing in access is granted. 

What Can Your Business Do

You may think you or your employees will not fall victim to such attacks. Our experience has shown otherwise. Now that you understand what Social Engineering is, watch for Part Two of this blog series which will cover what you can do to protect yourself along with processes and procedures we have found useful.  Check out  BudgetEase’s Protocol on Vendor Changes to incorporate policies in your organization to protect yourself from the consequences of Social Engineering.

(Be sure to read Part 2 of this series- "What You Can Do to Avoid Being a Victim of Social Engineering")