Social engineering is a topic of increasing concern in the cybersecurity world, including retail loss prevention. When the term was first used around the turn of the twentieth century, it referred mainly to government programs designed to nudge public behavior in a certain direction. But in the twenty-first century, it has much more sinister connotations.
It may be a modern-sounding term, but social engineering now refers to something as old as civilization itself: the tendency of some people to take advantage of others and steal from them. We identify such people by a few names: grifter, swindler, con artist, etc. but the most commonly used word today is one that emerged in the 1960s from the carnival subculture: scammer.
There was a time when scammers had to get out into the world and interact with people to score their ill-gotten gains. They would cultivate personal relationships with vulnerable business owners, rich widows, or ordinary consumers. Now they can scam people while relaxing at home in their pajamas. Some will use impersonal methods, such as harvesting credit card numbers from skimmers or unsecured Wi-Fi connections. But more commonly, like the con artists of old, they approach us as human beings and exploit our inherent human vulnerabilities.
The Scammer’s First Ploy: Gaining Your Confidence
The “con” in con artist is short for confidence. The crook infiltrates the victim’s world by gaining their confidence. That’s still the method used by today’s online scammers. The easiest way for the scammer to approach a victim is to impersonate a friend or other trusted entity.
Example: You receive a seemingly innocent email from Bob, your trusted business colleague. But something about it seems odd. The language isn’t what Bob would normally use. It comes across as stilted, false, and even incoherent. And it’s asking you to do something unusual—change your password, for instance, or reveal some other personal information.
What you shouldn’t do in that situation is respond directly, reveal any personal data, or worse, click on an accompanying link. Instead, it should be simple enough to approach Bob directly: “Hey, did you send me an email this morning?” That will probably clear it up quickly.
Social engineers will also impersonate other entities you trust: your bank, your credit card company, your mortgage company, USPS, FedEx, the IRS, an asset protection associate, your internal IT department, your utility company, etc. They will inform you of a problem with your account—and that you must take action immediately! Persuading you to act quickly without thinking is a surefire way for them to get what they want. Again, the wise course is not to take the bait. Instead, if you’re not sure, contact the bank, the post office, or the credit card company directly. You’ll probably find out it was a scam.
Social Media: A Scammer’s Paradise
For those who engage in social engineering, social media platforms are like a cocktail party full of gullible guests. The participants are already open to interactions and inclined to share information about themselves. Seemingly innocent Facebook posts will invite you to state the year you were born or the name of your favorite music group. Those posts are not just for fun. They’re tools designed to create a profile of you to be exploited later. People on Facebook or LinkedIn routinely receive invitations to connect with “people” with whom they have no natural connection. For men, the invitation may include a photo of a beautiful woman to enhance the attraction. The goal is to cajole you into revealing information that can be used for fraudulent transactions or even identity theft.
Hacking Businesses the Easy Way
More businesses nowadays employ sophisticated cybersecurity programs. However, the trend toward remote working has opened an area of vulnerability: many employees now access their companies’ systems from their home computers. How secure are those home computers? That’s the portal social engineers can sometimes use to get inside a company’s system and cause havoc. If employees aren’t vigilant about their own cyber health, they can inadvertently expose themselves and their employers to serious damage.
For workers, managers, consumers, and virtually everyone else, following a few simple guidelines can insulate them from the worst perpetrators of social engineering.
Five Don’ts for Cyber Safety
- DON’T believe everyone who approaches you.
- DON’T reveal personal information to anyone with whom you’re not familiar.
- DON’T click on any link you’re not sure about.
- DON’T use the contact info provided by a questionable source (verify independently).
- DON’T be pushed to act in a hurry.
Two common types of social engineering attacks that retailers frequently encounter:
- Phishing: The attacker sends fraudulent communications that appear legitimate, often claiming to be from a trusted source. The goal is to trick the recipient into revealing sensitive information, installing malicious software, or transferring funds.
- Vishing (voice phishing): The attacker impersonates someone trustworthy via phone call, aiming to trick the employee into revealing sensitive information or performing actions that favor the attacker.
Vishing is arguably the most prevalent form of social engineering that retailers encounter currently. It typically involves a caller posing as someone with authority, such as a representative from the IT department or a loss prevention associate. These impostors often request that a transaction be authorized or pushed through. Frequently, the caller will claim that they are conducting a system test, possibly involving a gift card transaction, and will then request validation for it.
Given the risks associated with these types of social engineering, the following tips can help retailers protect their businesses:
- Awareness and Training: Regularly educate employees about social engineering tactics. Make them aware of tactics like phishing or vishing. Encourage them to report suspicious activities.
- Policy Enforcement: Implement strict policies about handling unknown devices, clicking on links in emails, and releasing sensitive information over the phone. Make sure these policies are enforced and regularly updated.
- Verification: Encourage staff to verify the identity of individuals before releasing any sensitive information. This could be as simple as making a call back to a known number or checking with a supervisor.
- Secure Systems: Ensure your IT systems are secure and up-to-date. Regularly update and patch all systems to protect against malware and other threats.
- Incident Response: Have an incident response plan in place. If a breach does occur, knowing how to respond can minimize damage.
For these reasons, as well as for the preservation of basic social cohesion, it’s imperative for retailers, law enforcement, and ordinary people to know the tactics of social engineering—and effective ways to defeat them.