If you work for a retail organization, chances are good that you’ve encountered a cyber attack. An alarming 75 percent of retailers have experienced at least one data breach, according to data from Thales, and 50 percent of those breaches happened within the past two years. These costly attacks not only expose sensitive data, but they also damage brand reputations and threaten consumer trust.
However, despite the onslaught of recent incidents, many retailers still aren’t doing enough to protect against common threats like social hacking. In fact, retail was ranked last in security efforts to defend against social engineering, according to a report from Security Scorecard.
Fortunately, by educating yourself and your team on what to expect and taking more proactive retail security measures, you can reduce your organization’s risk of becoming the next social hacking victim.
Popular social hacking techniques
It’s easy to assume your workforce would never fall for a social engineering scam, but as cybercriminals’ efforts become more sophisticated, even tech-savvy professionals have a difficult time identifying when they’re being deceived.
Here are three popular tactics stealthy social hackers could use to access your network and steal your data.
Phishing uses emails, text messages, chat programs, and other communication platforms to impersonate a trustworthy individual or organization. These messages often include fear tactics or convey a sense of urgency to drive victims to act quickly. For example, cybercriminals might send a mass email to all contacts within a particular email list and ask them to “verify” their login credentials.
Spear phishing is a more direct method of phishing that targets a specific individual or group with highly personalized correspondence that looks like it’s coming from a legitimate contact.
In most cases, hackers use phishing to gain login access to a system or network, but they could also use the opportunity to install malware by asking the recipient to click a link or download a file.
For example, sometime between May 2017 and March 2018, employees of The Hudson’s Bay Company, which owns Saks Fifth Avenue and Lord & Taylor, were targeted by a phishing email containing malware. Hackers used the malware to infiltrate the organization’s systems and compromise an estimated five million credit and debit cards, according to CNN Business.
While phishing usually relies on messages of urgency or danger to drive action, baiting entices victims by promising something valuable. In some cases, hackers send an email or message with a link to a downloadable file that seems like enticing content, such as a free giveaway or a funny video.
For example, in early 2018, Adidas became the subject of a baiting ploy targeting Whatsapp users. A spam message offered the recipient a free pair of shoes to celebrate the retailer’s anniversary. After they clicked a link and answered a few “qualifying questions,” users were redirected to a form that asked for their payment details.
A hacker could also drop a malware-loaded USB drive near your workstation, parking area, break room or some other conspicuous location and give it an intriguing label, such as “Employee salaries report.”
Pretexting usually exploits people’s kindness toward others or their desire to please authority figures. In these cases, hackers research individuals and businesses to gather information about specific activities and relationships that they can then use to build trust with their victim. The more personal information the hacker can obtain, the easier it is to deceive the recipient.
For example, a hacker might send an email that appears to come from an employee’s boss which hurriedly asks for login information to a critical system so that they can gather data before a meeting with a big client.
How to protect against social hacking
While there’s no surefire prevention method, there are two crucial steps that you should take to mitigate risk:
Educate your workforce
Telling users to stop sharing sensitive data via email and use caution when clicking links isn’t always enough—especially since employees may bend the rules if they’re in a hurry. It’s much more effective to share examples of security threats so that they know what to avoid. You could also conduct mock phishing drills to show employees how easily they could be targeted.
Additionally, because the retail industry faces higher levels of employee turnover, it’s critical that you regularly inform your workforce about common and emerging threats and how to report them.
Prioritize device security
In many cases, social hackers use malware to infect your network and gain access to valuable data; that’s why it’s essential that you invest in technologies with highly advanced retail security features. For example, HP Enterprise printers use whitelisting to ensure that only authorized HP firmware is loaded into their memory. Additionally, if one of these devices detects malware, it can shut down, reboot, and self-heal its BIOS code.
Because retailers collect and store massive amounts of consumer information, they’re a gold mine for cybercriminals—and as social hacking techniques become more sophisticated, the number of breaches is likely to increase. However, by understanding the risks, educating your team, and investing in secure tech, you can significantly reduce your chances of becoming the next victim.