Don’t Be Victimized by These Social Engineering Scams
by Joanna PinedaPosted on November 4, 2014
A couple of weeks ago, a client called in a panic to ask if their website had been hacked. Here’s the scenario: one of the administrative assistants had received an email from a senior VP, asking for a copy of their membership database. The email looked legit so she exported a member list and emailed it to the VP. Or she thought she did. Turns out the senior VP’s email had been spoofed. She had actually emailed the member list to an outside email; the email only appeared to have come from the VP.
Eeek. How did this happen? Did the website get hacked? We did a scan of the server, checked the logs, and rechecked the intrusion detection service logs. No breach. So how did this happen? Turns out that the association publishes a full staff list and it would have been easy for anyone to find the email addresses of a senior VP and an admin. It’s not hard to create an email address and “hide” the email by displaying the “pretty name” in the email header. BTW, turns out a number of our clients are getting these types of emails.
Here’s another scenario that will scare you. Several clients have reported that their exhibitors are receiving calls from people posing as the association staff exhibitor contact. The caller goes on to ask if the exhibitor has booked a hotel room. If the exhibitor says no, the caller asks for a credit card and bam, the credit card has now been breached.
Eeek and double eeek. These types of attacks are called social engineering attacks. Wikipedia defines “social engineering. in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. The attacks described above are not technical threats, they are human threats and they are on the rise.
So how do you protect your organization? I could spend days talking about social engineering, but here are my top tips:
Talk to your staff about social engineering: what it is, the dangers, what it looks like.
Train your staff to be suspicious. One IT Director I spoke with said, “I’ve trained my staff to be paranoid. If they get a request that looks fishy, they need to confirm the request by voice. And they are told that senior staff NEVER ask for exports and reports from the database via email.”
Train your staff to never divulge passwords, account numbers or other confidential information over the phone or email unless they can verify the request in person or via voice.
If a social engineering attack occurs, don’t sweep it under the rug and pretend it didn’t happen. Talk about it, train on it, discuss it.
Talk to your IT vendors about training for your staff.
Keep reading and educating yourself and your staff about social engineering.
How about you? Has your organization been victimized by a social engineering hack? What are YOU doing to protect yourself and your organization?
A couple of weeks ago, I attended Non Dues-A-Palooza, a conference about generating non dues revenue hosted by 100 Reviews. The event had about 125 attendees and was held at City Winery in Nashville, TN. I’ve been attending conferences since the Fall of 2021, so this wasn’t my first foray back to in person conferences. I’ve attended large and small conferences...
I’m part of the Mission Matters author network and they’ve been hosting discussions about different business topics on Twitter Spaces. What is Twitter Spaces? Twitter Spaces are live, audio-only conversations that happen in Twitter. Twitter Spaces is a direct competitor to Clubhouse, which was the first tech firm to offer audio-only discussions back in April 2020. Here’s how it works: Any...
Last week, I attended and spoke at the International Foundation’s Technology and Benefit Communications Conference, held in Boston, MA. I spoke on the topic of “Next-Generation Tools to Enhance Your Communications,” or next-gen tools to communicate benefits to employees. At the end of the conference, there was an Open Forum, during which select speakers took questions from the in person and...