Social Engineering Techniques, the Stealth Bomber, and You!

4 min read
May 2, 2017 at 9:45 AM

We write a lot on this blog about the different Social Engineering Techniques that are being used by bad actors today. We do this to educate you on the threats that are out there and the methods that these organizations will use to achieve their main goal: Steal sensitive information from your company!

At the end of the day, that is the only thing that matters to these criminals. This is a business with the goal of making money, much like your business has the goal of making money. The difference is that these bad actors prey on organizations to steal  information and then sell it to even worse people so they can utilize it in some fashion. Some examples of this sensitive information might include:

  • Credit/Debit card numbers
  • Social security numbers
  • Medical Records (which may contain both items above)
  • Personally Identifiable Information (address, email address, phone number, passwords, etc.)

Every year at about this time we hear of scams involving the IRS. These scams often include phone calls with bad actors pretending to be from the IRS saying that you owe taxes and if you don't pay on the spot, you will have a warrant issued for your arrest. While it is scary to get that call (nobody wants to get arrested), you should know that the call is fake and that the IRS will never call you and threaten you. They prefer to do the nasty stuff via the mail! But this is where this year’s attacks have gotten interesting.

Northrop Grumman, the enormous defense contractor that literally builds the Stealth Bomber, fell for a hack that resulted in 68,000 employees’ having their W-2 information stolen. How did this happen? A spear-phishing campaign targeted an employee at Northrop Grumman, tricking them into entering their username and password into a bogus form. The bad actors used these credentials for over a year to steal the sensitive information of the 68,000 employees. Yikes! 

After 4 paragraphs and some bullet points, you might be asking yourself, "Why is he telling us this?" Great question and one that I am glad that you asked! To answer your question, I am going to pose a question to you first: If the company responsible for developing the Stealth Bomber can fall for a phishing attack, would you fall for one too? I don't know the answer to that question and I hope that you are never victimized like this, but the point is that you must prepare your staff for this type of an event.

What are some ways that you can prepare and educate your staff to reduce the risk of something like this happening? (Please note that I used the word reduce and not eliminate your risk. It is impossible to eliminate risk, you can only reduce your risk). Here are some tips you can implement today:

  • Educate Your Staff - If you do your security awareness training 1x per year, you are setting your organization up for attack. Do the threats change more than once per year? Yes. Do you value the sensitive information that your organization holds on employees and customers? Yes (I hope). Do you have $1,580,000 laying around to blow on fines, credit monitoring, and all the other costs associated with a breach (10,000 records at $158/record is the math according to the Ponemon Institute)? Maybe, but I am sure you can find better things to do with almost $1.6M. Train your staff more than 1x per year. Quarterly is ideal but please make sure you spend more than 1 hour a year on information security.
  • Empower Your Staff - You know the old saying. If something looks too good to be true, it probably is. While this doesn't look too good to be true, it looks strange and that should raise a red flag. At Compass, we call this "building a culture of security." This means allowing your staff to ask questions if something looks odd. Did you get a random email asking for your username and password to a system or program that houses sensitive information? Ask someone if this is legit. Did you get an email from your CEO asking you to make a wire transfer for $5,000,000 to a company that you have never heard of? Ask someone if this is legit. Did you get a phone call from tech support asking you to install software on your machine? Hang up and call IT yourself and ask them if this is legit. Ask these questions to mitigate your risk. On a side, yet funny note, this morning I sent an email asking for people to subscribe to the Compass YouTube channel. My co-worker emailed me and asked me if I sent him an email with a link to our YouTube channel. Ask the question and make sure that YouTube channel link is legit.
  • Test Your Staff - You educated your staff and empowered them to ask some questions to make sure everything is legit, now test them. Hire a firm to do a simulated phishing email and/or phone call to see how they respond. Keep doing this and you will start to see a change and the development of a culture of security. And, isn't it better to have a controlled test from an outside firm than a real test from a Russian crime organization in case the results aren't the best? Use these tests as a learning opportunity and a teaching moment for you and your staff.

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think