My experience working for the U.K Police Cyber Crime Unit taught me that hackers are increasingly targeting staff as a way to bypass your technical defences. This type of attack, known as social engineering, provides hackers with a better “return on investment” than tackling your firewall.
To best defend your business, staff need to be well trained. This needs to go further than computer based, box ticking training. It needs to be an investment in the development of a security culture.
Think like a hacker
One of the toughest attack vectors to spot is the spear phishing attack. Spear phishing is a malicious email that is targeted at a specific person.
Imagine that you are a hacker. You find the company that you want to target, for example – Vulnerable Inc. You go online to find people who work there. You come across Rachel, who works in the finance team and is very active on social media.
You find her on Facebook, her privacy settings are fairly locked down so you can’t see much. She has 689 Facebook friends. This probably means she adds people who she hasn’t actually met.
You send her a friend request and she accepts.
Now all those privacy settings she has set up are null and void, you can see everything. You browse her posts and build up a picture of who she is and what she likes. Eventually you come across a post from last Wednesday:
“At Bristol Gourmet Burger Kitchen AGAIN tonight with the girls. Eating my favourite the Tennessee Burger. I must be their best customer!!”
You Google “Bristol Gourmet Burger Kitchen”. Once on their website you take a screenshot of their logo, social media handles and address. You start to craft a phishing email:
We hope you enjoyed your Tennessee Burger last Wednesday. We are reaching out to all our loyal customers to offer them a free meal. Register your details by clicking the link below to redeem your free voucher. Vouchers can be redeemed anytime but you have to register today. We look forward to seeing you again soon.
Bristol Gourmet Burger Kitchen
You send the email to her work address containing a malicious link.
Why does this work?
The information that you insert into the email is designed to build trust and familiarity. You add a deadline into the email to ensure Rachel acts quickly and without thinking about things like “why would the restaurant have my work email?”
What can you do?
- Train staff: Staff should realise how information they put online could be used maliciously. If they can think like a hacker they can understand what they should and shouldn’t post online.
- Company policies: Make sure staff understand what to do if they do receive a suspicious email.
- Audit information online: You may be surprised what information is out there that you may have forgotten to delete.
- Website information: Keep information about staff to a minimum on your website.