Think about the last time you had a conversation with someone on the phone you didn't personally know. Maybe you got a call from the bank informing you a new representative would be handling your accounts. Maybe you called into a customer service center, and you get a follow-up call to inquire about your experience.
Innocuous enough, right? The person on the other end of the line may ask about the weather where you live or how business is going. They may hear your two yappy Pomeranians barking in the background and ask their names. Because you love any opportunity to talk about your dogs, you don't think twice about the question.
But maybe you should.
The Christian Science Monitor reports that sometimes, a seemingly innocent call may actually be the workings of a social engineer who is after your information. While it may seem like polite small talk, you've actually divulged where you live and the names of your pets, which may be lynchpins in your passwords and help a hacker get a foothold in your network.
The report states the hacker convention Def Con illustrates this technique with a beloved competition called Social Engineering Capture the Flag. The rules are simple: contestants hop on the phone and call employees of different companies in the hopes they can trick them into giving up useful information.
The report states for 91 percent of large cyber attacks, phishing emails (i.e., targeted messages that ask for credentials) were the first point of entrance. It goes to show you – exploiting trust can be a powerful weapon in cyber warfare. Let's see what your business can learn from these hacks.
With Cyber Risk, Humans Are the Wild Card
If there's one thing Def Con's social engineering competition should reinforce, it's that people are always the weakest links in the data security chain. As we noted in "When Networking Can Hurt Your Business," your employees don't even have to answer the phone to be a victim of a scheme. A crook can look at their social media profiles and glean a bunch of information, including…
- Where they work.
- What their position is in the company.
- Which of their connections are actually business associates.
Armed with that information, someone could easily send a spear phishing email that tricks an employee into giving up login information or other crucial data that compromises your security. (Worse news: cyber attackers can use dating apps for evil, too. More on that in "Dating Apps on Your Business Phone? Prepare for Heartbreach.")
This isn't because employees are careless or easily duped. Rather, hackers prey on the fact people are busy and may not have time to carefully analyze every phone call or email they receive. The fast-paced, task-laden nature of most people's lives is ripe for exploitation. Time-strapped employees may simply open the email or click the link because they just want to get the request dealt with as quickly as possible, especially if they think it's coming from a higher up.
That's why even tech-savvy people are susceptible to social engineering schemes (and why Cyber Liability Insurance may be a wise investment, just in case an especially convincing phone call exposes your system). Learn more about hacks in "23% of Small Business Employees Still Make This Critical Mistake."
Winning the Cyber Trust Wars with Training
So now we know a few things: social engineering is a formidable risk and busyness is a key ingredient in pulling off these schemes. While you may not be able to do much to help your employees manage the work-life balance, you can train them to know these risks are out there.
This training is especially valuable if you have part-time or virtual assistants who may not know the full lay of the land of your business and may be more susceptible to trickery because of it. To combat this vulnerability, send out reminders that note…
- Hackers might call on the phone.
- Innocuous conversations can still reveal a lot of personal information that can be exploited.
- The kind of information that is and isn't safe to give out.
- Suspicious emails or phone calls should be immediately reported to you.
For more employee cyber security training tips, check out "Yes, You CAN Prevent Data Breaches."