Social engineering is a topic that many people are not very clear on what it is all about. It doesn’t need to be complicated, as it is a process we go through each and every day.
Any form of interaction you have during the day is social engineering, whether it is replying to emails from a work colleague or simply talking to the cashier at your local grocery store.
In terms of social engineering with regards to financial institutions, it is important that for cyber security purposes social engineering isn’t used as a way to obtain data that they should not have knowledge of.
While social engineering is inherently good, as you can build long lasting and meaningful connections with a wide network of people, it does have its drawbacks like most things. There is always going to be a needle in the haystack who wants to get information about you or your network in order to commit some form of fraud.
Just like it is important for banks to keep physical private data material in a safe place, it is important that the same is done for digital data. Often it appears that those individuals who provide a great customer service are the most susceptible to malicious forms of social engineering, as they are eager to help and inadvertently end up clicking a link or attachment that contains a virus.
This is why it is vital to educate your team about the vetting process, showing them how to check the credentials of the person and thinking about exactly what they are asking before taking any action. Surprisingly this sort of training does not play a role in most financial institution’s social engineering strategies.
Jack Henry conducts social engineering penetration testing for institutions and they expect a success rate of obtaining the information they want from an institution 60-80% of the time. This is an astonishing statistic.
This is why educating your employees with regards to these matters is vital; they want what is best for your institution and they do not wish to put you or your customers at risk which is why you need to educate them about these dangers. Testing needs to be put in place, as well as follow-up training for those who struggled or failed the testing standards.
Employees need to be in the mind-set of asking themselves; why is this person asking me for this information and to really think the situation through thoroughly.
The 3 common attributes seen with attacks are:
- A sense of urgency
- There’s a time constraint in place
- There is a consequence involved.
An example of such an email would be a message being posed as the IT officer and saying that you need to do a 5pm upgrade to your system on a Friday.
This often leads to the employee thinking “If I don’t do this then chaos will ensue.”
There are also other ways to test social engineering procedures, such as buying a fake internet provider shirt off the internet, going into a financial institution and saying you need to check their cables. Malicious malware can then be installed.
Psychological manipulation is always at the forefront of these attempted frauds. A lot of people tend to take others at their word, so it is important to be a bit more skeptical when dealing with this type of information.
“Even if they looked like a police officer, you’d probably want to see a badge. You’d probably want to just make sure that it was a legitimate person. The same is true for your financial institution.”
These are wise words from Tammy Gilleland-Bangs of Jack Henry. It doesn’t hurt to make sure that the person you are dealing with is legitimate!
For more on Social Media Strategy, you can listen to this episode of Bank On It with Tammy Gilleland-Bangs or subscribe to the podcast via iTunes, Stitcher, iheartradio. Follow me on Twitter and never miss an update.