Retail is a Choice Target for Social Engineering
by Brian Bullock | September 29, 2023
Dutch industrialist Jacob Cornelis van Marken coined the term “Social Engineering” back in the 1890s when he was describing work being done to “improve what was amiss in the world.” Nearly 150 years later, social engineering now describes something completely different. It’s the way cybercriminals try to manipulate people to steal information, data and money from businesses and organizations of all sizes and retail stores are among their prized targets.
Fortinet, a global leader in cybersecurity, says that because of the sheer amount of customer data retail businesses collect, stores have become the No. 1 target of cybercriminals. Data from Trend Micro, a leading provider of antivirus services, shows that 77% of retail organizations were hit by ransomware in 2021, an increase of 33% over the previous year.
Payment card data is the new currency, which is what retailers small to large have in abundance.
Cybersecurity is a popular topic, especially in October because it’s traditionally Cybersecurity Awareness Month and 2023 marks the 20th anniversary of its creation.
It’s hard to put all the blame on the COVID-19 pandemic for retail’s problem with cybersecurity. Certainly, it was an issue well before 2020. But when businesses were forced to close their brick-and-mortar stores, they had to find another way to make sales, and e-commerce launched like a rocket.
Web store sales and the subsequent increase in credit and payment card transactions enlarged every store’s digital footprint, and the bigger the digital footprint, the easier it is to stub a toe.
Social engineering is socially unacceptable
So now, the definition of social engineering has changed. Carnegie Mellon University defines it as “the tactic of manipulating, influencing, or deceiving a victim to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”
The perpetrators, either through emails or phone calls, impersonate someone, often a security provider or contractor, to gain access to their victim’s business network. These pretexts can include:
Phishing – emails, texts, or phone calls attempting to obtain information such as computer usernames or passwords.
Baiting – a type of attack that involves a scammer using a false promise to get victims into opening malicious attachments or visiting false websites.
Scareware – involves convincing victims that their computers or networks are already infected with malware to gain access.
The 2023 Verizon Data Breach Investigation Report shows that these kinds of attacks have nearly doubled over the past few years and now represent more than half of all incidents. Of them:
- 74% involve people either mistakenly responding to an email, text, or phone call, or use of stolen credentials.
- 83% involve external people, not with the business being violated.
- 95% are financially driven.
The National Cybersecurity Alliance suggests some incredibly simple behaviors to avoid becoming a victim of a social engineering, or any other kind of attack.
Use strong passwords and enlist a password manager. The NCA says passwords should be long, unique and complex. They should be at least 12 characters. They should be unique – don’t reuse them and none should look alike. They should also have a good mix of upper and lower cases, numbers and letters, and special characters. The National Institute of Standards and Technology recommends changing passwords every few months, too.
Password managers can help with this. They help manage hundreds of passwords for online accounts, protect a user’s identity, notify users of potential phishing, and alert users when a password might be compromised.
Turn on multifactor authentication. Although it probably seems like a simple solution, having two steps – or two passwords – to access online accounts simply doubles their security. These passwords can range from simple PINs (personal identification numbers) to security questions (What is your hometown?) to biometric identifiers such as facial or fingerprint identification.
Recognize and report phishing. It might seem simple, but recognizing phishing is as simple as recognizing any other kind of fraud. Does it smell funny?
- Come from an unfamiliar source?
- Have an offer that seems too good to be true?
- Ask for personal information?
- Stress urgency and ask for users to click on unfamiliar links or open attachments?
- Or just not look right? Misspellings, odd language, strange email address.
If it does, do with it what you would do with any bad fish – trash it and/or report it. Most good IT managers have a way to report phishy emails.
Update software. Software companies update their products for several reasons, and one is to keep them and their users safe. That’s why it’s always important to update whenever asked, although only download updates if they come from your provider. They can contain malware and viruses just like any phishing product.
Point of sale and retail management software providers often offer services to manage their products and make life easier for their customers.
Updates are often required to maintain PCI compliance which keeps stores operating safely.
“Windows updates are extremely important. If users don’t update their software regularly, they’re just making it easier for bad guys to get in there and do something,” says Brandon Hays, Managed Services Lead for Paladin Data Corporation, a leading provider of retail management software solutions. “That said, Windows updates is set to automatically install by default. That means it’s going to install whenever it wants to, and it requires a reboot to complete the installation.
“If a store is in the middle of ringing up a sale and there’s 10 people in line and the server decides to start a Windows update, that store goes down until the update is complete. That’s why we introduced Paladin Managed Updates™. We have a solution to control Windows updates in a way that it’s not interfering with business operations.”
Managed Updates™ is a product that verifies and tests software updates and either blocks them, if they can’t be verified, or schedules them for downloads after business hours. This prevents distracting update popup messages from slowing down business operations.
Low Tech Attacks, High Quality Response
Not every cyberattack requires a team of coders or loads of technical knowledge. Anyone with a phone, a little bit of research, some knowledge of protocols, and a little bit of audacity can gain access to a business’s network.
Earlier this year, one hardware store received a call from a person who claimed to be with the company that provided his store’s technical support. The caller said he was responding to a help request and asked for the store’s support credentials and password. If the employee had surrendered that information, the caller, using a remote monitoring and management program, would have gained access to the store’s network where they could have turned that business upside down.
Luckily for the store, the astute employee was suspicious that a support technician would need that kind of information. He phoned his store’s technology provider to find out if there was any kind of support request. He found out there were no outstanding help requests and, in doing so, saved his store a big headache that could have ended in lost data or worse.
“Most of our clients are small, independent business owners. They have just a few computer terminals. They don’t have enough resources for an IT department, which covers antivirus, backup solutions, and general network management. That’s where we can help. We’re the IT guys. Our Managed Services handles those chores for these businesses, plus we take care of their point-of-sale software and system,” Hays explains.
This story is proof that a little bit of skepticism about everything from answering a phone call to responding to an email is a good thing. It’s also proof that a relatively new category of cybercrime – social engineering – is spreading like a virus.