“Social engineering” describes the techniques used by criminals to manipulate people into doing what they want or providing information they shouldn’t. Social engineers look for information they can use to persuade their targets to cooperate, perhaps by gaining their trust or through the use of intimidation. These scammers can often find everything they need to succeed in a company’s website, in its employees’ social media posts, and auto-reply out-of-office voice and email messages.
Is your organization sharing too much?
About your website
Including on your public website the names, job titles, email addresses, and direct phone numbers of your key employees and supervisors is a bad idea. Scammers thrive on this kind of data. This is especially true if your site also includes things like information about other companies you do business with. Scammers will use the names, job titles, and email addresses of your employees to run scams that often victimize your organization and its customers.
The victims’ losses can be significant, as was the case in 2018 when a Texas county government ended up paying $525,000 to a scammer impersonating a representative of a road construction contractor. In that case, the scammer spent a great deal of time building a trust relationship via email with a member of the office of County Treasurer whose name, title, and complete direct contact data were on the department’s public website. Per the perpetrator’s instructions, the treasurer’s office eventually redirected payments meant for the road contractor to a new account that belonged to the scammer. During this process, the scammer also impersonated a county employee, assuring the contractor, via a fake county email account, that the payments were being made, but they just hadn’t hit their bank account yet. By the time the scam was discovered, over a half-million dollars had been lost for good.
Out of office messages
Whether they are auto-reply emails or voicemail messages, your employees should be careful about what they share in their out-of-office messages. In some instances, what is good practice for your company is also good practice for your employees. They should avoid providing information like details about their vacation plans or stating that they will be out of town for a specific period of time. Not only will this tell a scammer how long the window of impersonation opportunity will be open, but it also lets criminals know when the best time frames are for burglarizing your employees’ homes.
There are some good rules to follow when setting up out-of-office messages. Email applications like Outlook offer the capability to send a separate message to those within your organization and send a less-detailed version to anyone outside the organization. Messages to outsiders should include only necessary details. They should indicate that the person is unavailable and will get back to the caller or email sender as soon as possible. In email out-of-office messages, it is a good idea to omit the employee’s work phone number. Omitting the number could prevent scammers from repeatedly calling to determine whether the person has returned. You may wish to create policies that address what is permissible to be shared in an out-of-office message and what is not.
Social media posts
Whether these are social media posts created by the company or those created by individual employees using their personal accounts, it is recommended that you establish policies regarding what is acceptable to post about the organization and what is not. Policy recommendations for social media usage include prohibiting the posting of company passwords, proprietary information, company account numbers, and any information to identify vulnerabilities. Examples could be including information about broken windows or unsecured entry points, details regarding technical security issues, information about employees having personal problems that may indicate they are vulnerable to being targeted, or derogatory comments about the organization.
Without a second thought, people routinely overshare on social media, providing information that can be used against them and others. Finding names, contact numbers, email addresses, and job titles of key organizational employees on companies’ public websites is not unusual. And, without having any way of knowing who will call or email, employees will proudly announce in their out-of-office messages that they are going to the Bahamas for two weeks. Unfortunately, all of these common behaviors and practices create vulnerabilities that are successfully exploited by social engineers. The best defense against these scammers is an educated workforce. This, along with a set of policies that employees are required to follow, can help prevent scams like the one in Texas from being successful.