When it comes to cyberattacks, companies of all sizes are only as strong as their weakest link. All it takes is one employee to mistakenly click on a link, and instantly a hacker can gain access to the firm’s network and all they hold dear.
Social engineering is one of the most common, and basic, hacker tactics. If an employee doesn’t recognize the hallmarks of a social engineering scam, they can easily expose themselves and their company to a great deal of risk as well as a costly response and remediation process. Ensuring they have this required insight and understanding is key to any cyber protection plan.
What is Social Engineering?
Social engineering is a particularly pernicious form of cyberattack and among the most common. Only partly reliant on technology, the hacker or scammer uses whatever intelligence they can find about you and your organization to get you to give up more information. You may not think you have any pertinent personal details floating around on the internet, but hackers can work with the smallest scrap of information. For example, they could easily check a company’s LinkedIn page for a low-level employee, or recent hire, and start sending seemingly authentic communications via email.
A phishing email might look official at first glance. It might appear to be from the billing department, asking you to fill something out, wire money for a client, or share details like Social Security numbers for administrative purposes. Often, the criminals will use pre-text, setting the stage as a recent acquaintance you met at a recent conference, or during a sales call. These scams emphasize urgency in response, manipulating you into responding reflexively, and often cite higher up executives. Common phishing techniques include emails presumably from the CEO asking for an important favor, or the use of pretext, setting the stage as a recent acquaintance you made at a sales conference.
Social engineering works so well because it starts out with a nugget of truth. The sender references something specific that will grab your attention and make you inclined to overlook the warning signs.
Working from Home
Social engineering scams are not new and have actually have been rising at an alarming rate for years. Since the outbreak of the COVID19 virus, however, there has been an undeniable surge in attacks. People are more vulnerable not necessarily because of subpar cyber security in their home offices, but because of social distancing and isolation.
Now, with so many people working remotely, it’s not as simple as a stroll down the hall to determine the validity of a potential scam email. Accounts payable employees are expediting payments for fraudulent invoices, and overriding company controls due to the false sense of urgency. And fraudsters, meanwhile, are improving their methods all the time. If the company neglects to deploy a new security patch for their email filter then the attackers will target that vulnerability. They are much faster at creating new forms of attacks then companies typically are about noticing, responding, and notifying their employees about it, giving the scammers more time to lure in new targets.
Training and Communication
Training employees is the number one line of defense against phishing. There are a lot of things that employers can do to make sure they are taking the appropriate actions, such as:
Practice vigilance at all levels. Direct employees to check the email address if they get a suspicious or legitimate-looking email requesting sensitive information. It might have a known contact’s name in the address, but does it actually follow the company or vendor’s email format? Discourage people from using their personal emails for work so there’s less confusion.
If an employee receives a suspicious email they should immediately report it to the IT department. Encourage people to screenshot or simply describe the email in question. Forwarding can open a whole new can of worms.
Once made aware of a circulating email scam, alert all employees to be on the lookout for similar emails and provide instructions for what to do if they receive it: don’t click anything, mark as spam, delete.
Share resources or hold webinars specifically to train employees on how to recognize and protect themselves from these threats. Send out test emails so they know what to expect. What do these emails typically look like? What should you do if you’re unsure that an email is part of a phishing scam? What should you NOT do?
Communicate with each other.
Making sure your employees have the tools to deal with social engineering cyberattacks is crucial, and communication is a vital part of that. Have protocols in place to address cyber security especially as employees are working remotely. The human element is your biggest exposure. With the proper training and education, you and your staff will have the best chance at being able to avoid falling prey to these schemes.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at email@example.com.
Email me directly at firstname.lastname@example.org.