SecuritySocial Engineering

Antivirus and Firewalls Will NOT Protect You From This

Fact: traditional antivirus software will NOT protect your business¬† from many threats on the Internet today. A firewall won’t, either. Not even a full-time security staff will shield you from the most insidious (and probably oldest) threat to your business today: social engineering.

Social engineering is difficult to combat with technical controls. Things like spam filters and firewalls have a very difficult time protecting you from social engineering attacks because they look just like legitimate communications, and sometimes they don’t even come over email or websites – they can be perpetrated over the phone, by postal mail, or even in person, and no spam filter on earth will protect you from that.

The iconic example of social engineering is the Trojan Horse, which predates email by a few thousand years. So-called “Nigerian scams,” which lure people with promises of big payoffs for small investments (“just give me your bank account and routing number so I can transfer your $400,000 payment to you”) are still quiet popular – and successful – today.

Unfortunately, I still with a number of smaller firms who think “it can’t happen to me” (until it does) “because we’re too small” (except they’re not) and “we don’t have anything anybody would want” (but they do). They think that the only targets of large hacks are enterprises like Target, Home Depot, JP Morgan Chase, and Apple. But the truth is that most hack attacks – including social engineering – target small businesses with fewer than 100 employees!

Everyone is a target.

I have worked with clients in art, banking, construction, education, engineering, finance, health care, insurance, and legal – all of whom have been targeted by social engineering (phishing) attacks. Unfortunately, they’ve all fallen for one scheme or another, and the story is almost always the same. Here are some actual quotes from my clients:

“I got this attachment from a vendor, and when I opened it, my computer started acting weird.”

The email was a virus, unintentionally sent from the vendor’s computer.

“I downloaded this file I needed to update my printer, and it won’t work.”

It didn’t work because the file the user was trying to download was malware, disguised to look like a driver for his printer.

“I was trying to pay our Comcast bill online when I got a message saying that my computer had problems, and I was told to call this 800 number immediately.”

The client called the number, and proceeded to grant the scammer on the other end remote access to her computer, and all of the files on it.

“I got a call from Microsoft technical support, saying there were problems with my computer. I looked where they told me to, and there were errors, so I thought it was real!”

Scammers are clever! This one used normal messages that appear on every Windows system to convince the victim that her machine needed urgent attention, and then gave the tech remote control of her computer to “troubleshoot” the issue. They then proceeded to lock her computer down so that she had a choice of giving them her credit card, or losing her files. (Fortunately, she used our backup service, so we added choice #3, and got her files back for her.)

“I got this email from <President>, asking us to transfer money to a bank account I didn’t recognize.”

In this case, our client did NOT fall for the scam, and did not conduct the wire transfer. However, one of my colleagues had a client who fell victim to the exact same scam: the CFO received an email, allegedly from the CEO, asking to wire a large amount of money to a bank account, for which the routing and account numbers were given. The draft was made, and two days later, the company was out nearly $50,000. And the bank was under no obligation to refund any of it.

So what can you do?

There’s only one way to address social engineering attacks: train your people. You need to have a security awareness program in place. You simply cannot assume “my people would never fall for that,” because, believe me, they will. A security awareness program is a vital component in protecting your business from these threats. This means regular, continuous training – not “we had a seminar on passwords, once.” As humans we tend to be forgetful, so we need reminders. Ever see a speed limit sign along the highway? There are reasons they appear frequently enough that you see them several times an hour: so you won’t forget, and so you can’t say you didn’t know. If management doesn’t see that staff are properly trained, it’s management’s fault.

Interested in implementing a security awareness program for your team? Get in touch today and ask to speak with one of our Certified Information System Security Professionals (CISSPs) to see how we can help train them to be alert for the latest scams and other threats do your business.