generic phone
Vishing refers to attempting to get personal information over the phone from an individual. Reuters

Typically, cybersecurity has solely been a technical problem for most companies, as they’ll generally bulk up their data protection standards or add other resources in order to protect themselves from cyberattacks. But what about the people behind their desks? In many cases, social engineering can turn out to be just as effective when it comes to getting confidential data from unwitting employees.

International Business Times spoke with Rachel Tobac to learn more about social engineering and trends like vishing, which refers to tricking individuals into revealing information over the phone similarly to phishing. Tobac, who is a senior community manager at Course Hero, also works as creative director at the nonprofit Women in Security and Privacy and was a winner at DEFCON's Social Engineering Capture The Flag competition in 2016 and 2017.

IBT: Technical cybersecurity practices have has been a concern for many companies, but have they given equal focus to social engineering education?

Rachel Tobac: In terms of social engineering from a high level, companies think about that and have pretty good training about how to spot things like phishing attacks through email or through malicious links, but from my experience, I have not seen an overwhelming uptick in training on vishing attacks.

From my experience, you don’t need to go through email to compromise a company. If you can get somebody on the phone and have them type in a potentially malicious URL, that’s just as strong of a vector as going through email and I think that’s grossly overlooked. [Companies] have pretty good training for people who are client-facing — typically those in customer support or account managers — they are pretty well-trained on how to spot a vishing attack over the phone.

But when I’m looking for a target, I do not go for the people who are client facing, I go for the people who are pretty well isolated within the company — the interns even — and it’s been pretty easy, sadly, to compromise a company through a vishing attack with that vector.

Right, those individual employees can be a vulnerability for a company.

Absolutely, if you can get information from one individual — just one compromised individual — you can figure out how to get onto the network easily, you can figure out what type of badge you would make to recreate to do an onsite pretext, you can figure out how to penetrate their network through their operating system and the machines and workstations that they use. The most malicious thing that you could do is to get that individual to go to a malicious link over the phone.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

What areas should companies focus on when it comes to social engineering awareness and sound practices?

One of the most important things that I think is sometimes overlooked is having a robust social media policy at a company. When I am figuring out who I want to be my target doing [open-source intelligence] and using tools like Maltego, I can find a lot of information about companies just through what is posted on social media and tagged to those companies’ addresses on their Instagram.

Just this past year, I spent about 50 hours on Instagram, Twitter and Facebook and found every malicious flag that needed to be found in order to implement a malicious attack on a gaming company. And through my experience through DEFCON, I think making sure that people understand if somebody is going to authenticate with you on the phone through something that is available on social media, you need to think twice about that.

If you’re posting things about your pet, posting things about the location of your work, addresses, phone numbers, where you sit, who your co-workers are — if I’m calling and saying ‘hey, Gerald told me to talk to you’ and I can find that from your Instagram that you and Gerald are best friends, you hang out, you get lunch every day at the sushi spot down the street — I can really easily authenticate as really knowing Gerald. But you should be able to think twice and think ‘Ok, I post about Gerald on social media, so i should not allow this person to authenticate with me through that, they need to authenticate with what they have, what they know in addition to these pieces they can find on social media.’

What’s one cybersecurity issue that businesses should be paying attention to?

Something that I think is really important that I don’t hear a lot about in the news is vishing. We hear a lot about phishing over email, clicking on malicious links and things of that nature, but I don’t hear a strong focus on avoiding vishing. In my experience, it’s been way easier to vish a company than it’s been to phish a company.

If we can have companies starting to think about telling their employees weekly, monthly, what not to answer over the phone, what to answer over the phone and critically, vishing their employees to give them experience about what to say or not to say, to see if they can do it in a real high stress environment? That’ll truly change the game for company in allowing them to be more secure.