To social engineering scammers, stealing data is much like shooting fish in a barrel. With a bit of preparation, however, your data needn’t be up for sport.
While technological advancements have helped to safeguard organisations against many cyber-threats, there remains one constant target for fraudsters: people. Yes, as much as we’d love to believe that they aren’t the weak link in the security chain, employees pose a sizeable security risk – made all the more devastating by the rise in social engineering scams.
Factor in the recent rise in remote working, and many employees find themselves even further from the protective guardianship of the IT department, putting them at great risk. Hackers are, of course, aware of this new advantage – and they’re willing to make use of it.
Phish in a Barrel
In 2019, phishing scams accounted for up to 90% of data breaches, and given what we know about our changing work habits and the aforementioned vulnerability found in employees, we can expect this trend to continue.
With that in mind, it makes perfect sense for organisations to get better acquainted with the various types of social engineering scams – primarily phishing. After all, preparation is everything.
Let’s start with some of the most common phishing scams:
Ever received an email that didn’t seem quite right, littered with errors, low-res images, or a suspicious looking sender email address? Chances are that this was an email phishing attempt.
Email phishing – otherwise known as barrel phishing, because it’s so easy to do – is where a scammer creates emails that (often poorly) mimic a real company and sends these bogus emails out en masse. The aim of this game is to exploit the recipients’ trust in well-known brands and organisations, encouraging them to click malicious links because they couldn’t imagine any harm.
This is often a numbers game; hackers will send out thousands of emails, casting a wide net in an effort to catch the most prey.
If email phishing is a wide net cast at random, spear phishing is the experienced fisherman who bides his time by the river to hook a more valuable target. The bait? An imitation of a trusted source within the target’s organisation. After all, employees are less likely to question an order from above versus a random email.
The spear phisher’s medium of choice is usually email, but some fraudsters have been known to work over the phone, taking advantage of deepfake voice technology in order to trick their targets. While standard phishing emails often have tell-tale signs, a targeted spear phishing attempt is usually very well researched and appears totally legitimate, so it’s often very hard to discern from the real deal, and that’s why they’re so dangerous.
The practice of whaling goes after a corporation’s biggest fish – often board members or CEOs. Like spear phishing, whaling attempts are often highly researched, but the pay-off can be even bigger.
The fraudster’s goal here is to trick a senior executive into initiating a wire transfer of substantial corporate funds – and when dealing with a high powered and experienced individual, it’s a tricky feat to pull off. They do this by including personal information about the target organisation or individual, by flawlessly using business language and tone, and by conveying a sense of urgency to make the victim comply. As you can imagine, financial institutions are usually the biggest target here.
Recently, social media has become a new attack vector for cyber criminals. Angler Phishing is the practice of masquerading as a customer service account on social media in order to reach and defraud a dissatisfied consumer.
By posing as a trusted source, scammers can encourage victims to click malicious links or surrender personal information. This type of phishing is most common on Twitter, where some brands’ customer service accounts deal with hundreds of direct messages and tweets a day. It’s easy for a dissatisfied customer to slip through the net, and that’s when angler phishers swoop in.
Plenty More Phish in the Sea
Although the above forms of phishing are the most well-known social engineering scams, they’re not the only threats in the sea.
Here are a few other worrying social engineering tactics:
- Smishing – bogus text messages are used to gain access to a mobile device, compromising two factor authentication and securing access to other accounts and devices.
- Baiting – enticing victims into accidentally compromising their security using a coveted prize as “bait,” such as fake giveaway prizes or complimentary devices (that have been infected with malware.)
- Quid Pro Quo Attacks – this method takes its name from the Latin term meaning “something for something” and relies on a victim’s sense of reciprocity. Hackers offer their targets something they might want, in exchange for access to their company’s data. This is the precursor to insider threat.
- Tailgating – crossing out of the digital world into reality, tailgating involves an attacker masquerading as an employee, physically following a target into a restricted area in an attempt to access sensitive data.
- Scareware – malicious software that poses as a security alert warning that the user’s account has already been compromised, directing them to a nefarious website in order to “fix the issue.”
- Pharming – redirecting users to a fake landing page that mimics the appearance of a legitimate website. Phishing emails can lead you here, but it can even occur even when you click an authentic link, or type in the site URL yourself, because the website’s domain name system has been hijacked by a hacker.
- Water-holing – a watering hole attack revolves around infecting websites that a target group is known to frequent, gaining access to their sensitive data by compromising a site that they trust.
Protecting Against Social Engineering
That was a lot to take in, right? Recovering from a social engineering attack, however, will take much more from yourself and the organisation, so it’s best to mitigate the threat early on. This isn’t, however, a case of one-solution-fits-all; a multi-layered approach tailored to your organisation’s needs, challenges, and people is a must.
First and foremost, is the need to develop a positive security culture, where staff feel comfortable recognising and reporting phishing scams (even one they’ve fallen victim to), so the threat can be contained as soon as possible. Start by training staff to be suspicious of unsolicited emails from unknown sources, to question the validity of unusual requests, and to recognise the tell-tale markers of a phishing email. Running regular simulated phishing attacks will show you how susceptible your team members are and provide opportunities for further training.
Robust security solutions also have their part to play in this. Staff cannot fall for social engineering scams that they don’t see, so ensure your Junk Email settings are set to keep most of the scammers at bay. The full force of cyber security measures should be implemented here, from firewalls to antivirus and anti-malware solutions, penetration testing, regular patching, and of course, access management policies.
While it’s unpleasant stuff to think that your own employees could fall hook, line, and sinker for a phishing scam, posing as a direct threat to your business, the last thing you want to do is remain in the dark. Educate your team before they accidentally take the bait, make sure your IT team are equipped for anything, and protect your systems with the latest security technology. From there, it’ll be smooth sailing.
If you’d like to know how we use the latest tech to save companies from floundering, contact a member of our dedicated team.