In a world where we all try to be ever-vigilant of threats, it’s frustrating when small, innocuous things slip through our defenses.
Such is the case of a local restaurant in Indianapolis called Scotty’s Brewhouse that fell victim to a data breach. Over the last weekend, managers of the restaurant discovered that the personally identifiable information (PII) of their 4,000-strong workforce had been exposed.
In this case, it wasn’t an obviously malicious attack, it was as simple as an employee responding to an email. Keep reading to figure out what happened and learn how to deal with a social engineering data breach.
How Something Like this Happens: Social Engineering A Data Breach
Around the end of January, a payroll employee received an email they believed was from founder and CEO Scott Wise. In the email, “Scott” asked the employee to forward him the W-2 forms for everyone employed by Scotty’s Brewhouse. It turned out the email was not from the owner of the company, but a hacker using social engineering to gain access to confidential information.
We don’t know exactly how this hack happened, as specific details have not come out, but there are several factors that a social engineer can play on to convince an employee to take some sort of action. Below, we can go into some hypothetical situations that could have lead an employee to fall for a breach like this.
The first is taking advantage of timing and context. The Scotty’s breach was reported to the police on January 30th, which is a day before federal law requires W-2 forms be received by employees. It’s likely the payroll team was wrapping up getting these W-2s out and settled, meaning that an email from the owner asking for W-2 info wouldn’t seem out of place.
Second, a social engineer can use a method called pretexting. On a basic level, pretexting involves pretending to be someone else (typically someone in authority) to gain access to confidential information.
As discussed here in our social engineering primer, one way to use pretexting to trick an individual into trusting a scammer enough to divulge secrets is to use an email address that is just a tiny bit off from a real email address. An employee is likely to see through a request asking for tax info from an email address like Scottyloveswings@yahoo.com as a scam. However, if the email address is very close, it’s not easy to catch.
For instance, the CEO’s address is email@example.com (easily found on the restaurant’s About page). Everyone knows this is his email. He may have a private one for business, but let’s say a scammer created an firstname.lastname@example.org email address.
Did you notice the difference right away? One letter left off the end of an email address is unlikely to be noticed by someone who deals with that email address or contact every day. If that payroll employee saw a request from the owner’s email address, it probably would have seemed like business as usual and not one the employee would ignore since it is from a figure of authority.
How to Stop It From Happening Again
There’s no instant, magic solution that will stop employees from falling for social engineering attacks. In fact, even some of the highest departments in the land have been taken in by scammers.
Take the Department of Justice. Around this time last year, the DoJ gave up an access code to a social engineer pretending to be an employee. The social engineer had likely gotten access to an official email address through a phishing email, then called into the DoJ help desk pretending he couldn’t login to the system. The help desk let him use their token code to gain access and the hacker was in. This resulted in the leaking of the personal information of 20,000 FBI agents.
Businesses small and large can take actions to help stop these attacks from happening again.
- Train Employees
Employees can’t stop something they don’t know about. This is why it’s important to offer training to employees on the latest hacking and social engineering messages. Even if it’s just a quarterly meeting filling staff in on phishing emails, typosquatting and social media phishing, your employees will be that much more prepared.
Training for phishing scams could have been especially helpful, since the IRS has been warning businesses about W-2 email fishing scams for the last few years.
If you need a resource you can check out this informative article and infographic on 23 Social Engineering Attacks.
2. Create Policies
Find out what tools your employees are using to get their work done. Are they using personal email to send sensitive documents to their personal email address? Or using free WiFi in coffee shops? What about using an unsecured consumer-grade file sync-and-share account to keep W-2 forms?
These are tools employees may be using simply because they make it easier for employees to get their jobs done. They may not know any better. This is why you need clear guidelines and policies on where information can be stored and on what sorts of media or apps it can be stored on. Once these policies are in place, it puts the onus on the employees to know how to do better.
To see more about building policies, check out this article on Shadow IT. In fact, we’re building a new tool right now to help organizations curb Shadow IT and investigate potential data breaches. If you’d like to know when it’s released, please click here and fill out the form.
3. Insist on Using a Secure File Sharing Platform
We can’t know exactly which of the methods above could have stopped a data breach like the one at Scotty’s, since we don’t know all the details. However, one that may have had a chance against a social engineering attack would have been using a secure file sharing platform made for business.
If the hacker had requested W-2s be turned into PDFs and sent through email and the company was using a file sharing platform, that could have been a red light to the employee.
Why would the boss want them to send files through email (which is not as safe as everyone thinks) when they have a policy to only use the in-house file sharing platform? This may have been enough for the employee to reach out to someone and see if the request was a legitimate one.
It’s small changes like education, policy implementation and the right tools that can at least make it harder for hackers to gain access in the first place. The best time to start making these changes is right now.
Create a Smarter File Sharing Plan
Give your team a smarter and safer way to attach files to email with SmartFile. SmartFile can be used in Outlook, browsers, file explorers, FTP clients and on mobile devices. Files are encrypted, and your team can delete access links if a social engineering incident occurs. Plus, there are no file size limits!
Try SmartFile today for free, no credit card required: