Protecting Your Business from Social Engineering
August 28, 2018
Dictionary.com defines social engineering in the context of information security as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. “ And, in order to protect against social engineering, your business first must understand the many types of attacks. Below are the most common.
When a cybercriminal entices the victim into taking some type of bait, either tangible (a malware-loaded USB stick) or intangible (pop-ups that lead to malicious websites), it is known as baiting.
Phishing, Spear Phishing & Vishing
Phishing involves email containing links to harmful or malicious websites often containing viruses. Hackers pose as a trusted business and send emails asking for private, sensitive information. The email recipient replies or clicks through to a fake website and enters account or billing information, for example, and now his or her credit card details are in the wrong hands.
Spear phishing is going after one key person, such as the HR manager, who can release employee records. The email appears to come from a company director, for example, and asks for W-2 records on all employees, which contain names, mailing addresses and social security numbers. Read more on data breaches and cybercrime in last week’s blog.
Vishing is the same as phishing except it’s done via phone (voice) instead of email.
Email Hacking & Contact Spamming
You know you’ve been hacked when cybercriminals hack directly into your email account and send messages to your contacts directly. There are usually pretty obvious clues to alert you to the fact that this isn’t really coming from your trusted contact, such as typos and broken English, but it’s not always obvious.
Pretexting is the use of interesting or enticing pretext (e.g. an email naming you the beneficiary of a will) to gain your interest and lure users in before tricking potential victims into providing something of value.
Quid Pro Quo
Translated from Latin to mean “something for something,” hackers play on victims’ psychology while asking for something but offering something in return. Common instances are emails stating that your computer’s been hacked, so the perpetrator poses as IT support and asks for your password so they can remote in and help you fix it.
What can your company do to counterattack?
There are two key components to a counterattack on social engineering: employee awareness and your IT department keeping things such as antivirus software current.
MANAGEMENT: Train All Personnel
Host regular seminars and drills just as you would for fire education and safety. Why? People are the weak link in this type of security scenario because they tend to act first and think later. Unlike a faulty door lock allowing a burglar access to your home, this form of attack relies solely upon the person receiving the email to take action. If the in-house resources aren’t available, hiring a third party to test and train staff will ultimately ensure that all employees are armed with the appropriate defense against the many forms of social engineering.
EMPLOYEES: Good Rules of Thumb
Slowing down is the first rule and using common sense is rule number two. After all, how likely is it that a Nigerian prince wants to send you money after first collecting your money? Change passwords often and use two-factor authentication. Never open attachments or click links in emails from untrusted sources. Look for the sender’s domain to match the company website (for example, firstname.lastname@example.org is legitimate while email@example.com is not) and note that it’s safer to type the URL directly into your web browser than it is to click on a link. Paying attention to these types of details can go a long way, as can listening to your gut! We usually know when something is “off” and this is the perfect time to tune into that sense.
IT DEPARTMENT: Install Antivirus Software
Antivirus software is an ally that works around the clock. Software such as Norton or Malwarebytes will automatically scan, quarantine and create reports, notifying users if there is a problem. Protect against viruses, worm, adware, spyware, Trojans, malware and ransomware in real time. Ensuring your operating system and email spam settings are both up to date can also go a long way.
Knowledge is power and hackers only have the power if we give it to them. Instead, keeping your staff well-informed of the dangers of social engineering and ensuring your IT department stays up-to-date on antivirus software will help counterattack the threats that every business is likely to encounter.