Your People are Being Hacked: How to Defend Against Social Engineering During WFH

BrandPost By Tanium
Oct 19, 2020

Fear. Uncertainty. Doubt. Cyber criminals are using these tools to target your people with sophisticated COVID-theme social engineering attacks. Jenny Radcliffe shows you how to defend them.

jenny plain copysmall
Credit: Tanium

“To make your organization more secure, the answer is, was, and always will be in people.”

Jenny Radcliffe is the Founder and Director of Human-Centered Security, a social-engineering-focused cybersecurity firm.

Radcliffe is known as “The People Hacker”. She is hired by organizations to target their staff members with social engineering, and to leverage psychology and emotions to find vulnerabilities in the human side of their operations.

When the pandemic struck, Radcliffe saw malicious actors take advantage of the chaos and leverage pandemic-themed social engineering within their campaigns.

Here’s what Radcliffe saw.

Criminals Take Advantage of the Chaos

Radcliffe knew that criminals would see COVID-19 in a different light than most people.

“What you have to understand about something as big as COVID-19, is that criminals are not looking at it the same way the rest of us are looking at it,” explained Radcliffe. “We look at it from a point of view of, ‘Will everyone be ok?’ But criminals are opportunists.”

She was right. As soon as the pandemic struck, and workers were sent home, she saw scammers and con artists rush to take advantage of the situation.

Criminals used every possible means of contact to reach their victims. Radcliffe saw a surge in phishing emails, spear phishing emails and smishing texts—all with new pandemic themes that used COVID-19 as a pretext to capture their victim’s attention.

“In COVID-19 they used the narrative of the pandemic—the narrative of fear—to really construct the story behind those approaches, whether they came over the phone, or in person, or whether they come over social media or email,” explained Radcliffe.

Criminals rapidly inserted themselves into the larger narrative of the crisis, and they leveraged the chaos of the moment to get people to take unsecured actions.

“Criminals use the fear, the uncertainty, and the doubt—or FUD as we call it in the business—to create this atmosphere of uncertainty in people’s heads,” said Radcliffe. “In that atmosphere it seems easier to click on a link. It seems like an easy way out, and something we can do to get rid of this state of cognitive disarray.”

The pandemic gave criminals the perfect playground to perform these tricks.

Their victims lived in a heightened emotional state. They were flooded with communications. They had been separated from their colleagues and security staff.

And Radcliffe watched the number of successful scams explode overnight.

Closing Today’s Human-Centered Vulnerabilities

While the initial chaos of the pandemic has calmed down, some things have not changed.

Workers are still at home.

They are still separated from their colleagues and security staff.

And they still don’t know how to fight back against the scammers targeting them.

For organizations looking to better defend their people against this ongoing wave of social engineering attacks, Radcliffe offers a few pieces of advice.

“Going forward the same solutions are true for the pandemic and working from home as they would have been beforehand, it’s just a little more elevated now,” explained Radcliffe. “To make your organization more secure—post, pre, and during this pandemic—the answer is, was, and always will be in people.”

Practically speaking, that means:

  • Educate Your Staff: Make sure they have been taught what a threat looks like. Common red flags include someone asking them for too much information, or talking about money, or trying to rush them into a decision.
  • Create Clear Lines of Reporting: Make sure your staff know who to speak to if they encounter a security problem—either they encounter a message that doesn’t look right, or they actually click a link or open an attachment that appears suspicious after-the-fact.
  • Remove the Fear of Blame: Make sure your staff knows that they won’t be blamed if there’s an issue—even if the source of the issues is traced back to an incorrect action they accidentally took.

To dive deeper into Radcliffe’s story, and to learn more about what happened when the world stayed home, explore