When you think of hacking, breaches, or cyber security, what do you think of? Probably software or technology. We often forget the human side. But humans continue to play a big role.
In fact, more than half of breaches and cyber-security events start with a human error or social engineering techniques. Many are a combination of both.
So what exactly is social engineering? It is the manipulation of people into performing actions or divulging confidential information. It is a confidence (con, for short) trick for information gathering, fraud, or system access. And while it is like a con, it differs from a traditional con in that it is often one of many steps in a more complex fraud scheme. Wikipedia says, “While the term social engineering is not directly related to computers, information security, or traditional security professionals, most recently it has become a major part of our industry.”
In this post, I will review two of the most common types of social engineering techniques and how they occur in retail.
Baiting occurs when the social engineer leaves a malware-infected device, such as a USB flash drive or CD, in a common area where it is most likely to be found. Several devices can be left at one time to increase the likelihood of success. Bathrooms, hallways, and mail drops are easy targets for baiting. Humans are curious creatures, especially loss prevention professionals.
The intent of the social engineer is that someone will pick up the infected device and plug it into their computer to see what’s on it. That’s when the malware installs itself. A lot of times the USB drive or disk will be labeled “important” or “private.” Once the malware is installed, the social engineer may have access to the computer or whole networks.
One example of baiting in a retail environment is when a social engineer applies for a job, schedules an interview, and meets with HR. After the meeting, he leaves a USB drive on the HR person’s desk. Because of his long commute, he uses the restroom and leaves a second USB drive on the bathroom sink. Then, for good measure, he places one more on a random desk while exiting.
What would you do if you found a USB on your desk that was marked “private?” The answer to that question could make the difference between your company finding itself on the front page of the newspaper for all the wrong reasons in a few months or not.
Phishing occurs when a social engineer creates fraudulent communications with a target, appearing legitimate and often claiming to be from a trusted or known source. Phishing is one of the more well-known tricks of social engineers and still one of the most successful.
The most common phishing attempts are unexpected urgent emails, usually involving banking, shipment, bill payment, or online accounts. Another common attempt is an email that appears to come from a person of importance, like your boss, your CEO, or a law enforcement official. The intent of phishing is to gain access to accounts, install malicious software, or steal money.
Here is one example of phishing in a retail environment. You receive an email from Jack, your good buddy in IT, and the email says, “Hey bud, can you reset your password? Just click the link below.”
You have known Jack for years and often work on projects together. You click the link and reset your password. But the email wasn’t from Jack; it was someone trying to steal your login credentials, and that person has now accessed your HR profile in order to redirect your paycheck to his account. Don’t click on any links. Call the person. Or go directly to the source and reset the password.
EDITOR’S NOTE: To learn about the third type of social engineering (vishing) faced by retailers today, check out the full article at “Three Types of Social Engineering That Keep Coming after Retailers.” The original article was published in 2017; this excerpt was updated August 28, 2018.