Social Engineering Still Biggest Data-Security Threat, Attorney Writes

Share Article

While technical issues related to patches or security holes are grabbing recent headlines, most breaches happen when employees fall for simple con jobs, writes LeClairRyan tech attorney John P. Hutchins

John P. Hutchins

You may ask yourself, ‘Who would fall for this?’ But it works far more often than you might expect.

As companies strive for better data privacy and cyber security, they should keep in mind that social engineering—often in the form of simple con jobs—remains the biggest threat, cautions LeClairRyan attorney John P. Hutchins in a new post on the national law firm’s Law & Technology blog.

“There’s evidence to suggest that users are getting suckered by fake messages more and more every year,” writes Hutchins, co-leader of LeClairRyan’s Technology & Innovations practice team and a shareholder in its Atlanta office. According to Verizon’s 2016 Data Breach Investigation Report, in fact, 30% of phishing messages were opened by their intended targets, and about 12% of recipients then went on to click malicious attachments or links.

In the Dec. 5 post (“Despite Equifax Breach Causes, Social Engineering Still Biggest Threat to Data Security”), Hutchins notes that complex technical issues related to cyber security and data privacy have been the focus of recent high profile data breaches, citing the massive data breach revealed by Equifax this past September as an example. While early media reports largely focused on the company’s alleged failure to apply a patch to fix a security hole in open source software called Apache Struts, Hutchins writes, many experts are not so sure this actually caused the breach. “Most security breaches are not the result of sophisticated technical hacks,” he writes. “The fact is that social engineering is the top method of gaining access to corporate computer systems and the sensitive data they hold.”

In the post, Hutchins describes common ways in which employees can be tricked into divulging confidential information such as passwords or ID numbers. Employees might, for instance, double-click email attachments that contain malicious code, thereby giving attackers access to computer systems and valuable data. Or they could be suckered into interacting with unexpected pop-ups, fake apps or games that request profile information and/or include malware. Social engineers are creative, the attorney writes, and are continually coming up with new twists on old techniques such as phishing emails or fake texts (“SMiShing”).

However, Hutchins writes, data thieves are also perfectly willing to take low-tech approaches such as dumpster diving for documents that should have been shredded, or just visiting an office and pretending to be a vendor, a rep from building management/security, a new employee who needs help, or someone from another office in the company. To illustrate, Hutchins cites the example of a “lurker” standing in the hallway carrying stacked boxes. “As you approach, he appears to clumsily reach for his key-card,” Hutchins writes. “You swipe yours instead, kindly holding the door for him as he walks in with his boxes. A con job like this gives the innocent-looking lurker access to files, the network, or other sensitive information or infrastructure.”

Simple impersonation tends to work because it leverages the human tendency to trust others—especially if they display credentials such as uniforms, badges or ID cards. “But these markers of legitimacy can pretty easily be faked,” Hutchins writes.

His post also covers common phone scams such as the infamous CEO/manager scheme. Here, attackers gather publicly available info about the target company, the CEO and those managers and employees who may be authorized to handle cash transfers. “The schemers use this data to make a call to a target employee, impersonating the CEO, and coercing the employee into making an urgent and high-dollar cash transfer to a designated bank account,” Hutchins writes. “You may ask yourself, ‘Who would fall for this?’ But it works far more often than you might expect.”

In the post, he advises that almost all social engineering depends on attackers establishing familiarity or authority to build trust. Companies should watch out for strangers making liberal use of company lingo, or mouthing details that seem to verify their claimed identities but that, upon further investigation, fall apart, he writes. “Social engineers like to try to create a sense of urgency, so the victim will act faster than usual and make the mistake the attacker is banking on,” Hutchins notes in the post. “Most often, if the target will take a few seconds to think it through, he or she will get the feeling that something’s not quite right, and that instinct is usually correct. Or if the target will make that one extra call to verify, the scammer claiming to be from ‘building maintenance’ will suddenly disappear.”

In conclusion, Hutchins cautions that social engineering is still very much alive. “Your company is most likely to be hit by a debilitating data breach because your employee base isn’t well-enough-equipped to recognize social engineering when it happens,” he writes. “That leaves your company at serious risk, regardless of how up-to-date your technical systems are. Regular and high quality training is readily available, and it is absolutely essential.”

Launched earlier this year, LeClairRyan’s cross-office, cross-disciplinary Technology & Innovations team focuses on ramping up service for companies that sell or are heavily dependent upon technology. Members include attorneys with broad experience in tech-related issues associated with transactions, litigation, IP, communications, regulations/compliance, deal making and more.

The full blog post is available at

About LeClairRyan
As a trusted advisor, LeClairRyan provides business counsel and client representation in corporate law and litigation. In this role, the firm applies its knowledge, insight and skill to help clients achieve their business objectives while managing and minimizing their legal risks, difficulties and expenses. With offices from coast to coast, the firm represents a wide variety of clients nationwide. For more information about LeClairRyan, visit


Press Contacts: At Parness & Associates Public Relations, Bill Parness, (732) 290-0121, bparness(at)

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Bill Parness
Parness & Associates
+1 (732) 290-0121
Email >
Visit website