Social engineering is defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. If you’ve received any of the common phishing emails supposedly from a bank or the HMRC, you’ll know that social engineering is wide spread. In fact, social engineering as a con has been around for many decades. The only difference now is that instead of somebody posing as a construction worker or cleaner, you’re more likely to be targeted online via email.
Social engineering affects everybody but it is increasingly being used to target small to big business. 2014 was the year that fraudsters turned their focus to corporates and instances have increased year on year since. Your business is more and more likely to experience such attacks and therefore your staff need to be well educated on how to avoid becoming a victim. Here’s some essential bits of knowledge that your staff should possess:
It’s a serious threat that happens often to businesses
It is estimated that in 2016, 60% of enterprises in the USA were victims of social engineering attacks. Of this figure, 60% of these attacks led to compromised employee credentials. When you think that this is just a survey of big corporations that will have taken precautions and invested in staff training, you’ll see just how vulnerable smaller businesses are.
The first thing your staff need to know about social engineering is that it is a threat worth taking seriously. They should be aware to remain vigilant at all times, taking into account all of the points below.
Its both digital and physical and comes in many forms
Although most people will be aware of the common “Nigerian prince” email scams, social engineering comes in many forms and continues to trick unsuspecting victims.
Spear phishing – The most common social engineering that occur are the classic phishing emails. With spear phishing however, the attacker uses a more personal and genuine approach and targets specific employees. When the recipient responds they are at risk of divulging information that can be used to further exploit the company.
Baiting – It’s tempting when you find a USB stick lying on the road to plug in the device and see what’s on it. Though if that USB is loaded with malware and just waiting for someone to do just this, you’re at risk of infecting the company systems.
Scareware – As the name implies, scareware is the practise of deceiving a computer user that their system is infected and that downloading a new program will help. Unfortunately the file is of no benefit and quite often is malware itself.
Pretexting – Pretexting involves posing as an employee, such as a line manager, as a way to secure sensitive information or redirect payments to a fraudster’s bank account. As the victim thinks they know the sender and the human interaction seems more trustworthy, all sorts of detrimental things can happen as a result.
All social engineering attacks involve getting your staff to reveal sensitive information, login credentials or downloading a malicious file directly or via an infected website. Your staff should be familiar with the many forms social engineering can take and know how to spot malicious emails.
How you can spot and avoid a suspicious email
So what do you need your staff to look out for? And what should they do when a suspicious email is identified?
What to look out for:
1. Legitimate looking emails from friends or colleagues can be very convincing – the only way to spot a compromised account is by paying close attention to the spelling, grammar and information included in the email. Does the sender communicate in a way that your colleague normally does?
2. Emails that present a problem that requires you to “verify” your information by clicking on the displayed link and providing information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for.
3. Criminals may pretend to be responding to your ’request for help’ from a company while also offering more help.
What to do when you are suspicious of an email:
1. Double check the sender is who they say they are. By clicking on the email header you’ll be able to see the true sender’s email address. Often a fraudster will mask a generic email with an official email address, trying to convince you their message is genuine.
2. Look for personally identifiable information. Although sophisticated attempts will do much research on you before getting in touch, many include only generic details. Institutions like your bank will now include your postcode, full name and other details about you to prove that their emails are genuine.
3. Most phishing emails will encourage the recipient to click on a link, download a file, or reveal sensitive information. It should go without saying that you take no action in response to the email, even if you are curious. First your staff should verify the email is genuine.
It can be very easy to research your employees
The rise of social media has meant it’s really easy for anybody to research you. Using only Facebook it’s easy to pinpoint your colleagues and friends, your hobbies, your daily routines and more. That’s pretty much everything that is needed to do a good job of impersonating you.
That said, it’s not Facebook that is the most effective tool when it comes to targeting businesses. LinkedIn is a treasure trove of middle managers, executives and employees and is therefore ripe for fraudsters to mine for information.
It is your responsibility to weigh up the risks and decide whether your employees should include their employment (such as the company they work for and their position) on their social media profiles. Your staff should be clear on this policy and follow it to the letter. On a related note, your staff should never use their work email to access personal accounts such as online shopping or social media websites. To reduce the risks associate with this, their work emails should remain strictly for business use.
Follow robust processes
A variety of social engineering strategies involving the interception and redirection of payments have increased over the past few years and arguably have the most obvious and significant impact.
Whether a fraudster poses as your boss or a member of the finance team, you need to have processes in place that effectively validate requests. If you send through instructions for payment or invoices via email, it’s a good idea for staff to confirm this via another communication channel, such as a phone call. If at the last minute you receive instruction from a supplier that their account details have changed it should be common sense that this is confirmed with the supplier prior to making any payments.
Your staff should understand your processes for validating requests and follow these at all times. Your staff should always double check when invoices are received or requests for money transfers occur in line with what you have agreed.
If you have any queries regarding protecting yourself and your business from social engineering attacks, Mansys have a long history of supporting organisations of all sizes around their IT security. Get in touch and we’ll be happy to help.
11th November 2019
3rd November 2019
29th October 2019