Everyone in modern society is constantly online, yet almost all are unaware of the enormous risks they take on a daily basis. With all the links, messages and emails you’ve interacted with, there’s a solid possibility that you’ve been a victim of a common cyber attack. In fact, the security firm Positive Technologies conducted a study, attempting 3,300 attacks on employees. 17% of these attacks were successful, and resulted in compromised information that would be detrimental to any company. In the following article, I will break down the range of social engineering attacks, and what you can do to be aware of them.
This is the most popular attack among social engineers, and it’s success lies on the ability to hoodwink a user online. The cause for phishing’s popularity is its effectiveness, because most victims wouldn’t even consider the possibility of it. All the emails you receive daily could contain a couple phishing emails. An attacker would begin by discovering a sensitivity in the software, and then creating a fraudulent link to send to many possible victims. If a victim uses the link and logs in his information, the hacker will have immediate access to this information, and can use it to steal money in multiple ways.
When you’re fishing in the ocean, you don’t have an exact victim in mind, you’re just hoping for any fish to bite. Spear fishing on the other hand, is a direct shot at a specific fish. The same way, spear phishing is a strike intended for a specific person or group. The hacker will do research on his victim before sending a modified email that will directly correlate to the victim’s recent activity. These attacks obviously have a far higher chance of success, as the victim would see the email as an expected normality and won’t suspect a thing.
Not all social engineering attacks happen online, as a significant amount of them also occur on the phone. With regards to telephone banking especially, this is a major risk for those who are uneducated. Fraudulent calls can include an attacker pretending to be a banker, asking for your information. This is similar to a quid pro quo, because the attacker is masquerading himself as someone with a positive intention.
Another effective form of fooling a possible victim is through pretexting. In this case, the attacker will build a relationship with the victim, and gain his trust. With this newfound connection, the attacker can convince the victim to delve out his information, again resulting in major money loss.
Now that you know the common social engineering attacks, the following example will manifest the damage it can cause. RSA SecurID, a cyber security company, fell prey to a massive phishing attack. Phishing emails sent to their employees, claiming to know another company’s recruitment plan. The emails had links attached, and when they were clicked a flash vulnerability gave the attacker access to the entire system. The company was forced to pay $66
million to repair the damages. If a cyber security company can be exposed like this, imagine what these attackers can do to any normal company. In my next article, I’ll explain the best ways to prevent social engineering.
Before getting into the large scale solutions, here are a few tips on how you can recognize attacks like these on your own. To begin, before clicking on a link you’re interested in, check the email address. Many hackers will change a letter or number of a popular address, so examine it carefully. Next, if an offer seems far too appealing, there’s a good reason to suspect it could be fraudulent, so do your research and assure it’s legitimate before you reveal your information. With regards to phone scammers, you should abstain from giving out your information during a phone call initiated by someone else. If you supposedly receive a call from your bank, hang up and call your bank yourself, as you’ll always be secure when you’re making the call.
Now that you know how to handle personal interactions with social engineering, the following steps are paramount with regards to keeping your company safe. Remember, these hackers have very destructive capabilities, so it would be foolish to dismiss this issue or take it lightly.
From the RSA SecurID example in the previous article, it’s clear that even the most secure companies can be fooled. Even more important than physical cyber barriers, is your employee’s experience and expertise. Social engineering’s focal point is to outwit it’s victims, like RSA’s employees, who’s failure to identify a couple phishing emails cost their company $66 Million. All your employees should be trained to deflect all types of social engineering before they’re hired. Remember to keep them on their heels, never trusting any email or call without clear verification that it’s reliable. Without a capable staff, social engineering can, and most likely will take advantage of their incompetence.
There are multiple ways to train your employees to be aware of social engineering. Companies like Madsec and KnowBe4 are accessible to expertly train your staff. Furthermore, they have devices that can test your employees with phishing emails, and other possible attacks. We strongly suggest you look into these companies if you feel that your staff isn’t ready to defend these attacks.
Cyber Essentials Certification
Cyber essentials is a government approved scheme to assist companies with their cybercrime issues. Not only does it significantly improve your cyber security, it also shows your customers that you’re an all around safe company to work with. Becoming Cyber Essentials Certified is extremely important for all companies that could become social engineering targets.
Spam filters can’t catch every phishing email, but they’ll minimize the amount you receive. It’s worth it to invest in a strong filter, as employees will have an easier job sifting through their emails.
There isn’t a more frightening thought than to realize that one wrong click, one fooled employee, can cause your company far upwards of $1000. Remember to keep that in mind at all times, and do everything in your power to be unequivocally positive that your staff is capable of keeping your company safe. If you believe there’s a doubt, it’s worth it to invest in top quality training for social engineering awareness.
Want Pro Network to help you Prevent these attacks from happening? Contact us in the form below.