Social engineering is the psychological method employed by cybercriminals with the purpose of luring a person into sharing confidential information. As explained by Kaspersky, a cybersecurity solutions company, this is done by infecting the victim’s computer with malware that grants the cybercriminal direct access into the person’s computer network. Social engineering attacks require the person contacted to open a file, click a link, or send information to the attacker.
What does social engineering look like?Social engineering can appear in many forms. For example: a phone call arrives to the church secretary from someone requesting a church directory to help in remembering someone’s name. The church directory contains photos, names, addresses, and phone numbers of church members. If the secretary assists in this request, he or she could be handing out members’ personal information to a cybercriminal.
Often a cybercriminal will claim to represent an authoritative source in order to sound credible to their target. The following is an example of how that phone call may sound.
“Hi, this is Jackie from Microsoft support, I’m seeing you were having network issues. We at Microsoft are ensuring our customers’ computers do not have issues. I see you are online, is that correct? Yes? Wonderful. I’m sending you a support link that will ensure your system is working properly. May I have your email address to send you this link?”
If the receiver clicks the link in the email, their computer becomes compromised.
The best attacks appear as something that could happen as part of a user’s normal routine. For example, if the target is the church treasurer, the attack could be a forged (faked) email from the pastor stating, “Please add the attached information to the next financial committee meeting agenda.” What the receiver doesn’t know, however, is that the attachment in the email has malware code that compromises the treasurer’s computer.
Why are churches attacked?Churches are prime targets because:
- there is often a lack of security on church systems and lack of training for employees and volunteers, making churches more vulnerable to attacks, and
- the valuable information stored in church systems.
Churches frequently store members’ names, addresses, phone numbers, email addresses, donation totals, and occasionally birth dates in an unencrypted system. These pieces of information can be used by cybercriminals pretending to be members contacting other organizations asking to reset “their” passwords and then gain complete access to additional information and accounts. For cybercriminals, church data bases can be used as a “shopping list” of people who have given money, allowing them to target the high donors of the church or use the compromised information for identity theft purposes.
When a church is compromised, the attacker gains access to the church computers and network. The attack does not have to be sophisticated for a cybercriminal to record every key stroke, log of websites visited, audio and video, and any other files stored on the network. This could give them access to bulletin information, board minutes, a pastor’s schedule and emails, and financial websites like Adventist Giving through which tithe and offerings are returned online.
How Can We Prevent This?Protection starts with proper and adequate training of all computer and network users. Users must never click suspicious links or attachments. Churches need to develop and implement policies on when, how, and with whom church information can be shared. Additionally, having the appropriate security software installed will help prevent a malware infection. Many solutions are available in the industry.
Some additional prevention measures available are:
- Simply training users to verify a person’s identity or authenticity of a message before following a link or attachment is enough to block many basic attacks.
- Some vendors use two-factor authentication to verify user identity before allowing system access. This normally requires a phone application through which users verify their access request in order to log into sites.
- Having vendors whitelist your IP address to restrict certain computers from having access to your network prevents data from being accessed by unauthorized sources and/or locations.
- Having an IT security team audit your security is considered best practice.
Ultimately, it is important to know that cybercriminals are opportunists taking advantage of poorly secured data. By taking the time and effort to understand common cyber threats and implementing simple security practices, you will reduce your risk of a successful social engineering attack.
For more on cybersecurity, download and read ARM’s guide on Cybersecurity.