Humans: The Weakest Link in Social Engineering Attacks

Property & Casualty Team

Humans: The Weakest Link in Social Engineering Attacks | James W. Gow, Jr.| Corporate Synergies
Humans: The Weakest Link in Social Engineering Attacks | James W. Gow, Jr.| Corporate Synergies

As Seen In

60% of businesses fell victim to social engineering attacks in 2016. What’s the weakest link between victim and hacker? Humans.

We’re all human; we make mistakes. But there are plenty of people out there trying to take advantage of a simple mistake that could cost a business millions of dollars. Social engineering attacks take advantage of human behavior—or that one little mistake—to steal confidential information.

It’s a scam that has been around for decades, but it’s become a bigger problem thanks to the Internet and the rise of various forms of electronic communication.

Social engineering attacks work because it’s easier for hackers to exploit the natural inclination to trust someone than to figure out a new way to access a computer.

Recently Google confirmed that a massive phishing scam hit millions of Gmail users in the form of an email from a trusted contact who appeared to be sharing a Google doc. To the unsuspecting eye, the email looked almost as authentic as an email from Google, down to the URL and login page. If a user clicked the link and granted permission to a fake app called Gdoc, they might have exposed their contacts, emails and any personal information contained there. Luckily, Google caught the attack quickly.1

Humans: The Weakest Link in Social Engineering Attacks | James W. Gow, Jr.| Corporate Synergies


Consider this scenario: An HR staffer uses a work laptop at a coffee shop. Using public Wi-Fi, this individual logs in to the company’s cloud-based accounting software to work on payroll. A hacker on the same public Wi-Fi network gains access to the company’s accounting software, putting the business and employees’ personal information at risk.

Social engineering attacks don’t always happen online. For example, an attacker could access the phone directory of a large company and pretend to be returning a call from technical support. The attacker may leave a message on the phone or get in touch with the person directly. While many people who hadn’t filled out a tech support ticket may simply say, “Sorry, you’ve called the wrong person,” the criminal is bound to reach someone who had submitted a technical support request.

In this scenario, the attacker tricks the victim into thinking he can offer help and asks for sensitive information, such as a password, to access the computer or specific systems. He may then log in to the computer after hours to steal information or launch malware.

Unfortunately, by the time employees figure out that they’ve been duped, it’s often too late. A business would be left to deal with a myriad of costs, such as state mandated breach notification and credit monitoring for impacted third parties, a significant interruption to their business, and dealing with a potential public relations nightmare. In addition to notification and credit monitoring, impacted customers may claim privacy and personal injury damages, intellectual property infringement, financial injury claims, or damage to their property.

In social engineering attacks, hackers exploit the human inclination to trust.

The most important line of defense, in addition to business insurance coverage, is to educate employees about these threats and put in place protocols that help prevent social engineering attacks. These might include:

  • Guidelines for employees to regularly change their passwords for their computer systems, accounting software, email and other programs where sensitive information is stored.
  • Establishing a standard framework for how information is shared throughout the company. Not everyone should have access to sensitive data, especially if it’s not relevant to their job.
  • A policy for how sensitive information is asked for and given. For example, bank or accounting information should never be shared via email or over the phone; all inquiries should be made in person.
  • A policy for identifying employees in the office. For example, all employees should wear badges that are shown when entering the office. If someone claiming to be an employee doesn’t have identification, he or she shouldn’t be let in until they can be identified. Visitors should also be identified.
  • Safe document management systems and disposal services keep sensitive information under lock and key so that prying eyes can’t get to it.
  • Tests for employees. Following training, employees should occasionally be tested to ensure they understand typical social engineering and hacking scams and don’t hand off sensitive information.

Because social engineering attacks are an evolving risk, conduct insurance policy reviews often to ensure your business is adequately protected should you fall victim to social engineering fraud.

We’re all human, after all.

1 CNBC, “Massive Phishing Attack Targets Millions of Gmail Users


© 2017 Corporate Synergies Group, LLC. No part of this material may be republished or distributed without prior written consent.

Download PDF   Subscribe to the Knowledge Center