When it comes to cyberattacks, companies of all sizes are only as strong as their weakest link. All it takes is one employee to mistakenly click on a link, and instantly a hacker can gain access to the firm’s network and all they hold dear.
Social engineering is one of the most common, and basic, hacker tactics. If an employee doesn’t recognize the hallmarks of a social engineering scam, they can easily expose themselves and their company to a great deal of risk as well as a costly response and remediation process. Ensuring they have this required insight and understanding is key to any cyber protection plan.
Social engineering is a particularly pernicious form of cyberattack and among the most common. Only partly reliant on technology, the hacker or scammer uses whatever intelligence they can find about you and your organization to get you to give up more information. You may not think you have any pertinent personal details floating around on the internet, but hackers can work with the smallest scrap of information. For example, they could easily check a company’s LinkedIn page for a low-level employee, or recent hire, and start sending seemingly authentic communications via email.
A phishing email might look official at first glance. It might appear to be from the billing department, asking you to fill something out, wire money for a client, or share details like Social Security numbers for administrative purposes. Often, the criminals will use pre-text, setting the stage as a recent acquaintance you met at a recent conference, or during a sales call. These scams emphasize urgency in response, manipulating you into responding reflexively, and often cite higher up executives. Common phishing techniques include emails presumably from the CEO asking for an important favor, or the use of pretext, setting the stage as a recent acquaintance you made at a sales conference.
Social engineering works so well because it starts out with a nugget of truth. The sender references something specific that will grab your attention and make you inclined to overlook the warning signs.
With the continued surge in remote working from home, it’s not as simple as a stroll down the hall to determine the validity of a potential scam email. Accounts payable employees are expediting payments for fraudulent invoices, and overriding company controls due to the false sense of urgency. And fraudsters, meanwhile, are improving their methods all the time. If the company neglects to deploy a new security patch for their email filter, then the attackers will target that vulnerability. They are much faster at creating new forms of attacks then companies typically are about noticing, responding, and notifying their employees about it, giving the scammers more time to lure in new targets.
Training employees is the number one line of defense against phishing. There are a lot of things that employers can do to make sure they are taking the appropriate actions, such as:
Making sure your employees have the tools to deal with social engineering cyberattacks is crucial, and communication is a vital part of that. Have protocols in place to address cyber security especially as employees are working remotely. The human element is your biggest exposure. With the proper training and education, you and your staff will have the best chance at being able to avoid falling prey to these schemes.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.