Online criminal activity is sadly now a daily occurrence with spikes seen around holidays and other special occasions like Valentine's Day. Social engineering attacks use psychological manipulation to deceive people to the point of forfeiting sensitive information. They exploit the weaknesses inherent in each of us, like fear, hope, love and greed, and can often be simple yet devastatingly costly for businesses.
In this post, we’ll look at 10 steps your business can take to avoid falling victim to common social engineering attacks like phishing, pretexting and baiting. Some of these may sound like basic protections, and others will sound like far-fetched scenarios. But when it comes to protecting your company’s sensitive information, you can never be too careful.
1. Get Proactive Against Phishing
Phishing scams are among the most common types of social engineering attacks today, and their goal is simple: obtain and exploit personal information. To many of us, they’re easy to spot. But their relentless frequency and ever-changing techniques make them potentially dangerous, even to well-versed employees.
In fact, Australian companies suffered just short of 50,000 phishing attacks in 2017, with one incident even costing a single company $500,000.
In their most basic form, phishing scams are disguised as official correspondence emails or text messages requesting sensitive personal information. Dressing these emails with the branding and style of your bank, telecommunications provider and even the Australian Tax Office can catch you unawares - but if in doubt, call customer support or log in directly to their website. Banking providers like CommBank provide a live anthology of phishing scams doing the rounds, and allow you to report hoaxes.
Security assessments and employee education programs are effective ways to protect your business from phishing scams.
2. Recognise Pretext Attacks
Sometimes cyber criminals need just one more piece of information in order to successfully break into a system, and pretexting is a common method for gaining that information. Scammers often try to build a false sense of trust with their targets in order to get the information they need. For example, they might pose as representatives from modelling agencies in order to obtain pictures, or in extreme cases, posing as external IT auditors to allow security staff to grant them entry to a building.
3. Resist Baiting Techniques
If you’ve ever encountered a request for your login credentials in exchange for a download, you’ve seen baiting in action. Be highly cautious with requests for surrendering credentials. These types of social engineering attacks have been used to spread viruses and break into corporate data systems.
4. Don’t Open Emails from Untrusted Sources
Scammers sometimes use contact lists to send phishing emails from sources recognised by the receiver. For instance, you may receive an email that appears to be from an old university friend, using their name as the sender contact.
5. Recognise Scareware Techniques
Scareware is a social engineering attack that plays on fear. For example, pop up messages alerting internet users that their device has been infected with malicious software or is prone to a virus can prompt people to download harmful programs.
6. Use Next-Gen Antivirus Software
Every business should invest in antivirus software to protect against social engineering attacks. However, traditional antivirus (AV) software may not be enough to protect against today’s more sophisticated techniques. Next-generation antivirus (NGAV) software can deliver superior endpoint protection against a broader spectrum of attacks.
7. Remember That Curiosity Killed the Cat
It’s human nature to be curious, which is why social engineering attacks often exploit this curiosity instinct. In fact, one Google study demonstrated this urge in frightening clarity. Researchers from Google and the University of Illinois scattered 297 USB sticks around the university campus, in order to test how many would be plugged into computers when found.
The result? A whopping 48% of people who found the mysterious USB sticks plugged them into their personal devices.
Removable media like USBs, digital cameras and portable hard-drives can each transfer contaminants to your network.
8. Learn About Tailgating
Tailgating or “piggybacking” involves someone without proper authentication following a staff member into a restricted area. Sometimes, tailgaters pose as delivery personnel or hold the door open for employees before slipping inside. It can be difficult for tailgaters to get into the buildings of large corporations, which often require card entry for each employee. Mid-size businesses are generally easier targets for these types of social engineering attacks.
9. Beware the Quid Pro Quo
The most common quid pro quo fraudsters pretend to be IT service people ready to help you in exchange for disabling your antivirus program and installing malware on your computer. Sometimes this exchange is sold to victims as a software update. Be careful about who you’re dealing with, and don’t be afraid to demand credentials.
10. Use Threaded Email Conversations
Open and easy-to-view conversations make it easier to detect phishing scams in a corporate situation. Encourage employees to use threaded conversations to help identify messages that are phishing scams posing as legitimate emails. Employees should feel free to report anything that looks suspicious.
Bonus tip: Security Awareness Training
Security Awareness Training educates your employees about the types of attacks to look out for, password security, and what to do in the event of a breach. The training can be preceded by a simulated phishing attack, or a password audit, to show employees how easy it is to fall victim to an attack. Security Awareness Training and simulated attacks should be carried out yearly at a minimum.
These eleven steps will help to keep your organisation free from social engineering attacks. It’s important to remember, however, that new kinds of attacks appear on a relentless basis. For more information about assessing, improving and managing your IT, or about Security Awareness Training; reach out to us at The Missing Link.
