During this global pandemic a majority of businesses who are continuing operations are doing so remotely. These companies are sending employees home and allowing them to connect to remote servers, use personal home networks, and even sometimes personal devices to complete projects. At first glance this is a great way to continue operations. There are many moving parts to consider in a work from home scenario, what if cyber criminals could send an email so convincing that an employee would open at attachment that could leak company secrets? On a home network there are fewer security measures than in the office: no security team, no expensive managed firewall, just an off the shelf router and modem. Think it’s science fiction, I’m going to tell you the steps involved, and follow up with how to protect yourself and your company!

I don’t want to get too technical, but yes, this is a completely real threat. A tool called the “Social Engineering Toolkit” is free and available to anyone who has a Linux operating system. This tool automates much of the procedure in generating a malicious email and it works like this:

First, fire up the software. After that a number of selections appear in a command line interface (letters on a blank screen). Then select, with a single keystroke, the attack you’d like and follow the on screen instructions. Let’s say, we select a delivery method of an innocent looking Adobe PDF document that says, “Employee of the Month Bonus information”. This file would really install a listener on a computer that would send keystrokes and information back to an attacker.

Would you click the link…maybe? What if say your company was Acme Inc. and the email address was from “HR@acnɿeinc.com” instead of “[email protected]”. You can see how close that is, this is a very real tactic. I’ve used it to collect information when I am simulating an attacker for sort of a practice drill for companies.

What can be done to prevent this simple threat from becoming a reality? In short, training is king. There is simply no substitute for a training program internally that informs employees about the real world tactics used by a particular breed of hacker, the Social Engineer. They are otherwise known as Human Hackers; there are entire annual conferences, books, podcasts, and forums on this topic. Training programs from companies like Social-Engineer led by Christopher Hadnagy and KnowBe4 led by “The Worlds Most Famous Hacker” Kevin Mitnick are two such Social Engineering education companies. You can hire them to test your employees by sending them realistic social engineering emails to see who clicks. They offer training to any team members who click the simulated links, to make your entire team security aware.

What is the takeaway? Security is not an afterthought that can be bolted on after the fact. Every member of a business is part of the security team, that concept is extremely important. Hacking tools can be incredibly easy to use with some practice and creativity. Security training is the best, and the cheapest solution! If you embrace that fact and train your team to look for things like: incorrect email domains (HR@acnɿeinc.com instead of [email protected]), suspicious tasks (like purchasing gift cards for the business),  and inconsistent internal language you will be a step ahead of cyber criminals. Outside of empowering your people you can also take proactive measures like security risk assessments where trained Ethical Hackers look for security gaps to patch. This is a lot like a fire drill, if you test your environment with a break-in attempt you can find any weak points.

Please reach out if you have any questions about this topic, we love to educate and empower companies and individuals. If you need security services. We specialize in exactly this kind of risks and would genuinely like to help!

-Dylan “The Magician” Baklor