Unless we understand the risks of sharing information inappropriately, there is danger of criminals in particular having the necessary tools to do us harm, usually financially.
A quick check of an online dictionary will give a definition of social engineering as something along the lines of, “the use of centralised planning to make societal changes and to regulate the development and behaviour of a society”. There is often a second definition given in the context of cyber security and that is something like, “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”.
The former is often scary, potentially resulting in ethnic cleansing, the removal of the poor or disadvantaged, or the apparent desire to breed children with high IQ or other attributes. But the second definition should also cause us all real concern. We have all been affected by social engineering to a greater or lesser extent. We have all been asked to share a password to give someone else easier access to a document, a spreadsheet or something similar. We have all been offered rewards for entering a quiz, completing a survey or reviewing a product and these are all examples of social engineering. Admittedly, some are fairly innocuous and we don’t mind too much, but the real problem is that we are seemingly becoming less and less able to differentiate between “acceptable” social engineering and “unacceptable” or potentially dangerous examples. Unless we understand the risks of sharing information inappropriately, or without due cognisance of how it might be used against us, there is a significant danger of criminals in particular having the necessary tools to do us harm, usually financially. Suppose you have some junk mail inviting you to have a new credit card. If this is stolen from your letter box or the waste bin, then with the address and perhaps a little research on social media, a criminal would have enough information to generate a new card in your name but with their address. They then receive the card and use it to buy expensive items like flights, consumer goods or fuel before the fraud is noticed. When the credit card company follow up the non-payment, it is the use of your name that gets you a bad financial record and could cause later problems.
Criminals have plenty of time to undertake the detailed research necessary to find out who the senior people in a company might be. They will discover names and addresses, email addresses and perhaps even be able to work out (perhaps from Facebook or Instagram postings) when they are on holiday or abroad. Then an email to a junior clerk in the finance department asking for a bill, perhaps even a legitimate invoice, to be paid urgently and giving slightly different bank account details sometimes reaps huge rewards. Often the payment will be untraceable and certainly it’s unlikely to be covered by either insurance or the goodwill of the bank.
Despite cyber security being the major issue on many people’s minds, general security and the checking of standard business processes is, if anything, even more important. Having two people check major payments for accuracy, only allowing named individuals with significant experience to change a client’s bank account details, or shredding all information that could be used fraudulently, are not new processes nor are they difficult to achieve. They could be the difference between continuing in business and going bankrupt through a loss of cash.
Andy Taylor, Lead Cyber Security Assessor for APMG International.