Within any SME, there will usually be a clear structure of responsibility underpinning all business operations. Whether or not this is clearly defined through job titles, both insiders and outsiders know that someone in a directing or decision-making role has more authority than an intern.
It is precisely this sense of ranking and responsibility that cyber criminals are targeting with social engineering methods of attack such as the ‘Colonel Effect’. Simply put, this technique is employed by cyber criminals to exploit the authority of one employee within a business over a lower ranking employee, usually to gain access to information or monetary resources.
How does it work?
A common example of the Colonel Effect is when with a phishing email is sent to an employee as if from the CEO. The email instructs the recipient to release information to a known supplier, or to transfer funds into an account. Playing on the fear and curiosity of lower ranking employees and often employing shock/urgency tactics, cyber criminals use the Colonel Effect to elicit immediate cooperation from the recipient without seeking authorisation.
This method is very reliant on the targeted business having weak internal communication, so that the junior employee follows instructions unquestioningly. In other words, it is aspects of individuals’ behaviour rather than technical oversights, that cyber attackers prey upon with this technique. Indeed, to get around more sophisticated security software and systems being implemented by SMEs, hackers are increasingly gaining access to information by targeting a vulnerability inherent in every business – human error.
How can it be prevented?
As this is a method that targets people rather than vulnerabilities in networks or infrastructures, it is only by having effective internal procedures in place, to which there are no exceptions, that such attacks can be prevented. By implementing basic processes, such as double checking and requiring multiple signatures for transfer requests, the possibility of a Colonel Effect attack within your SME can be drastically reduced.
Internal communication is essential here – even a simple phone call rather than a rushed email response to the authority figure who has supposedly sent the request, provides an extra layer of vital protection.
If you’re worried your business could be vulnerable to a social engineering cyber attack, get some tips and advice from our 12-step guide for SMEs.