Why you need to train your staff in social engineering for cyber safety

A small manufacturing business, with about $4M in gross revenues, tucked away in a nondescript building in a small industrial park with 35 employees in a small Canadian province that did business around the world. The CEO travelled fairly regularly (pre-pandemic), often to Europe and Latin America. The comptroller received a not unusual email from the CEO one day, requesting a USD$20,000 payment be made for a project. The amount was a bit higher than usual, but such a request wasn’t out of order. The money was transferred later in the day. They’ll never get that money back.

The cyber criminals had used an attack method called spear phishing, but they had also done some research. They’d likely analyzed social media posts, company blog posts and their website. A profile can be built in a few days. They’d made one change to the domain name for the email and registered through sophisticated blinds. So for say, about 36 hours of work, they netted USD$20,000 with one email. Not bad. Not good for the target.

Cyber criminals are becoming increasingly sophisticated. They use the same entrepreneurial tactics as startup companies, they growth-hack, they use customer engagement tactics, run models and assess their targets like a marketer assesses a potential customer. They know just about how much to ask for to likely get away with it.

Social engineering is different from brute force hacks into your network and systems. In some cases, they use methods to get you to download a document or click on a link which installs software on your network, either to steal data/information, inject malware or often much worse, ransomware and hold you hostage for payment.

Sometimes, if they see a big enough monetary gain, they’ll spend months working on getting into your systems. They may befriend an employee on social media, nurturing a relationship with them and eventually collect enough information to launch a phishing or spear phishing attack, maybe they’ll use a false identity in a tactic known as pretexting to solicit information. We’ve seen instances where the criminal will pretend to be in the supply chain network of a company and use fake invoices or engineer their way into getting network access.

Just installing a VPN, firewalls, anti-virus software and such is no longer enough. They’re necessary, but social engineering is insidious and is a kind psychological warfare against businesses. It’s a good idea to train your staff on how to look out for and recognize social engineering and develop methods to counter suspected attempts. There are ways to do this, but we’re not going to publish them for obvious reasons.

Such training is a part of good Digital Governance and makes sense, as frustrating as it is. Think your business isn’t a target? You will after you become a victim. No business is immune, no matter how small.