Social Engineering: How Hackers Target Your Employees

By: Dave Kelly, CTO SensCy

When we think about cybersecurity, we often think about protecting ourselves and our computer networks from some brilliant adversary writing code that will allow access to our systems. But in 2022, 57% of cyberattacks on small businesses involved simple social engineering techniques rather than some complex network penetration.

What is Social Engineering?
Rather than hacking computer systems, social engineering involves manipulating our employees to gain entry to our computer networks. The cybercriminals exploit human weakness to acquire personal information, log-in credentials, and protected systems.

There are many types of social engineering that our employees need to be aware of; the most common of those will be outlined in this article with the hope that it will help you and your employees recognize and avoid them.

Phishing
Phishing or email phishing is the most well known type of social engineering. These attacks involve impersonation of a brand we use in our personal or professional lives like our bank, our social media platforms, or commonly used business software. These attacks attempt to manipulate us by creating a sense of urgency:

“We have detected suspicious activity on your bank account, please log in and change your password.”
Hacker’s Objective: obtain your login credentials

Spear Phishing
Spear phishing is a more researched attack. The hacker gathers information from public sources like the company’s website, social media accounts, and press releases. The hacker then uses this information to target specific individuals within the organization using real names, real job functions, and telephone numbers to make the recipient believe the email is internal. These attacks attempt to manipulate us into thinking we are completing a task requested by a co-worker or supervisor:

“A document is awaiting your digital signature.” 
Hacker’s Objective: get you to click on a link that will download a malicious virus and lock everyone out of your computer networks.

Whaling
Whaling is an attack that involves impersonating the business owner or other members of the senior leadership team. Like spear phishing, the hackers research the leaders within the organization using the company’s website, LinkedIn, published blogs, and other publicly available information. They impersonate the owner of the company and target other members of senior leadership or vise versa. The email will look like it is coming from the owner or senior executive. These emails might request a proposal review, ask for approval for expenditure of funds, or ask for additional details about the business that can lead to further attacks.

“Tom, I wanted to get approval from you before I send this wire transfer.”
Hacker’s Objective: get you to click on an attachment that will download a malicious virus and lock everyone out of your computer networks.

Smishing
Smishing is sending a text message that requests an employee to act. It is an evolution of phishing. As technology evolves, so do the hackers. As we have moved to a more distributed, remote workforce—one that involves using our mobile devices as our main form of communication—smishing attacks have increased. Smishing can involve all the above types of social engineering.

“Hi Susan, I have changed banks. Attached is my new direct deposit form.”
Hacker’s Objective: have the employee’s paycheck re-routed to a bank account that the hacker controls.

Vishing
Vishing is voice phishing; it happens when a hacker calls a phone number and creates a heightened sense of urgency to make the employee take an action that they otherwise would not. These calls are usually targeted at a stressful time for the company, like the end of a quarter for a sales organization or during tax season for a CPA firm.

“Hi Tamika, it’s Sam from IT. I work for your managed service provider. We have seen some suspicious activity on your account. May we please remote in to fix some things?”
Hacker’s Objective: to install remote access software and steal company data.

These are just a few of the ways that social engineers are attempting to trick our employees into making a mistake that could be catastrophic for our small businesses. It is critically important that employees are aware of these and other social engineering tricks. An educated workforce can be a great defense against cybercriminals.

To learn more and to see specific examples of these attacks, please join us for a webinar on the topic of social engineering. You can register here.