We look at how to spot when a hacker is trying to trick their way into your charity’s computer systems – and how to prevent them from succeeding
You might imagine that most hackers are computer wizards who use their technical knowledge to break in to computer systems. But in fact, only 3% of hacks exploit some technical software flaw, according to security firm Kaspersky.
The other 97% use social engineering in one form or another to exploit well-meaning staff members and convince them to reveal confidential information like passwords, to make a payment to the hacker, or simply to click on an attachment that contains malware such as ransomware.
We look at social engineering and offer some tips so charities can protect themselves.
When hackers use social engineering, they take advantage of staff members’ good nature, desire to be polite, curiosity, or simple naivety, often by posing as someone they are not.
Social engineering allows them to induce people to take some course of action because they are led to believe that doing so is important, beneficial to them or their organisation, or will be helpful. But in reality, all they are doing is assisting the hacker in their criminal activities.
A hacker using this type of social engineering employs some false pretext to get a staff member to take an action like divulging confidential information.
For example, they may call the staff member and say that they are from the IT department. They may then say they want to increase the staff member’s email storage and therefore need their email password.
Phishing is another a type of pretexting attack because phishing emails use some pretext (such as the need to update account details) to trick staff into downloading malware or typing their password or any other form of confidential information into a web page.
These attacks take advantage of people’s natural curiosity. For example, a hacker may email a staff member posing as someone else in the organisation, saying that a service user has made a complaint against them. The email then says the complaint letter is attached.
The hacker is counting on the recipient being curious about who has made a complaint against them and therefore opening the attachment, which contains malware.
Another example of curiosity-based social engineering is simply to post someone a USB stick containing malware in the hope that the recipient will be curious about its content and plug it into their computer.
Many social engineering attacks seek to convey a sense of urgency so that staff members are rushed into taking some form of action without pausing to think whether anything is suspicious.
A classic way to do this is to send an email posing as a senior member of staff who is out of the office, asking someone to make an urgent payment that needs to be carried out within a short space of time. By stressing the importance of the payment, the staff member may be induced to bypass normal approval procedures and make the payment – to an account controlled by the hacker.
Some hackers take advantage of staff members’ good nature to induce them to do something they know they shouldn’t. For example, a hacker may call up a staff member and say that they need access to a system but have forgotten their password. They will then ask to use the victim’s password as a favour, so they don’t get into trouble for forgetting their password.
Even though people know they should not share passwords, many will do so if they think they are just helping out a colleague.
Some “good nature” attacks are less direct. For example, someone may call up a staff member to discuss something of direct relevance to the charity, and then enquire about the computer systems or cloud services that the charity uses. This information, volunteered by the staff member, may be useful when planning some other hack attack later.
Perhaps the single most useful thing you can do to prevent social engineering attacks is to train staff about how to avoid them. That means introducing them to the different types of social engineering attacks they may encounter, and detailing the steps they should take to avoid falling victim.
For example, many organisations recommend staff consult a more senior staff member either in person or by phone before they ever act on an emailed request to make a payment or to reveal confidential information, no matter how apparently urgent the request may be.
Protect what hackers want
A common mistake that organisations make is to protect the things that are valuable to them and to neglect things that are valuable to hackers. In the example above, a hacker may find it valuable to know what cloud services a charity uses, while a staff member may see no harm in divulging that information.
That means that charities need to understand what information can be useful to hackers and then to ensure that staff members are aware of this.
Make security rules simple
A simple rule could be something like “You must never reveal your password to anyone inside or outside the organisation, for any reason.”
This is easy to understand, and it is better to inconvenience some other member of staff who may want to use a password because they have forgotten their own than it is to reveal a password to a hacker who may cause untold damage.
Tell staff it’s OK to stick to their guns
One of the most effective overarching principles to encourage is that staff should follow their instincts, however much someone persuades them to do otherwise. In many successful social engineering attacks, staff initially refuse to comply with a hacker’s request for an action or for information but are eventually persuaded.
So it can be helpful to reassure staff that they will never be reprimanded for refusing a request which apparently comes from a senior staff member under any circumstances.