When we think about cybersecurity, most of us think about defending ourselves against hackers who use technological weaknesses to attack data networks. But there’s another way into organizations and networks, and that’s taking advantage of human weakness.
This technique is known as “social engineering,” which involves tricking someone into divulging information or enabling access to data networks. Family offices and high-net-worth individuals are often at risk for these type of security breaches.
For instance, an intruder could pose as IT help desk staff and ask users to give information such as their usernames and passwords. It’s surprising how many people don’t think twice about volunteering that information, especially if it looks like it’s being requested by a legitimate representative. Or, perhaps an individual in a conference may begin speaking with you over a related topic of your interest. The individual tries to naturally start a conversation and build trust over time.
On a more conspiratorial note, someone you know from a store/company may be recruited to infiltrate your activities, or industrial espionage specialists may profile you though the internet and get to know your preferences, hobbies, contacts and friends.
And that's not to mention the general threat posed by employees, co-workers and collaborators.
Social engineering attacks are particularly difficult to counter because they’re expressly designed to play on natural human characteristics, such as curiosity, respect for authority and the desire to help one’s friends.
Detection Tips
Here are tips that you, as well as the family offices and other clients you advise, should consider to avoid security risks.
Check the source. Take a moment to think about where the communication is coming from; don’t trust it blindly. What do they know? Does the source not have information you’d expect them to have, such as your full name, etc.? Remember, if someone from a bank is phoning you, they should have all of that data in front of them, and they’ll always ask security questions before allowing you to make changes to your account. If they don’t, then the chances of its being a fake email/call/message are significantly higher, and you should be wary.
Break the loop. Social engineering often depends on a sense of urgency. Attackers hope their targets won’t think too hard about what's going on. So just taking a moment to think can deter these attacks or show them for what they are—fakes.
Ask for ID. One of the easiest social engineering attacks is bypassing security to get into a building by carrying a large box or an armful of files. After all, some helpful individual will hold the door open. Don’t fall for this. Always ask for ID.
Don’t go too fast. Be particularly wary when you feel a sense of urgency coming into a conversation. This is a standard way for malicious actors to stop their targets thinking the issue through. If you're feeling pressured, slow the whole thing down. Most of the time, social engineers won’t push their luck if they realize they’ve lost the advantage of surprise.
Think about your digital footprint. You might also want to give some thought to your digital footprint. Oversharing personal information online, such as through social media, can help attackers. For instance, many banks have “name of your first pet” as a possible security question—did you share that on Facebook? If so, you could be vulnerable! In addition, some social engineering attacks will try to gain credibility by referring to recent events you may have shared on social networks.