Today’s computer operating systems and soft ware have more sophisticated built-in security than ever before. In most organizations, however, the people using these systems lack the knowledge to cope with the ever more sophisticated threats which target your valuable data. In fact, now the majority of malware infections are a direct result of social engineering ploys leveraged by hackers.
Social engineering involves manipulating employees in order to access company systems and private information. According to the IBM Security Services 2014 Cyber Security Intelligence Index report, 95 percent of breaches are caused by human error. For cybercriminals, it is the easiest method for obtaining access to a private company system.
Employee awareness of social engineering tactics is essential for protecting your firm’s data. Here is an overview of common scams to educate your staff.
Six Common Types of Social Engineering Scams
No. 1 – Phishing. This is the leading tactic leveraged by today’s hackers. The primary way phishers will strike is by email, but they can also be delivered in the form of chat, website ads and website impersonations. Phishing is effective by creating a sense of urgency or fear to induce a response. Always be wary, and never reply to emails from senders that you don’t recognize. These emails oft en go directly to your spam folder, so be especially careful of releasing messages from your quarantine. One incorrectly identified phishing email is all it takes to infiltrate a business. McAfee conducted a quiz of 30,000 business users in 49 countries. Only 6 percent of the respondents correctly classified all of the emails as legitimate or phishing. Eighty percent of all employees fell for at least one phishing email. If you suspect your message is phishing, hit Alt-F4 or upper-right “X” instead of “Cancel” or “Close.”
No. 2 – Baiting. Similar to phishing, baiters entice you to provide information or visit an infected website by offering something alluring in exchange. The bait might offer digital content such as a free music or soft ware downloads. A common offline baiting technique is when a branded USB storage device is left in the workplace or a public area for an end user to find. Once the bait is taken, malicious soft ware is delivered directly into the victim’s computer.
No. 3 – Pretexting. Pretexting is when a hacker creates a false sense of trust with the victim by impersonating a co-worker or a figure of authority within the company. For example, a hacker may send an email or a chat message posing as the head of IT Support who needs private data in order to comply with a company audit (that isn’t real). Successful pretexting depends by how well the attacker creates credibility. The attacker may have rate sheets for soft ware they are “selling” and spend time researching your persona to look the part in order to earn your trust.
No. 4 – Quid Pro Quo. Something for something occurs when a hacker offers a service in exchange for private data. For example, an employee might receive a phone call from the hacker impersonating an IT specialist offering IT assistance for a bogus computer problem. The criminal might walk the employee through disabling their antivirus soft ware temporarily, allowing them to install a “fix” to their computer that is really malicious.
No. 5 – Vishing. Vishing is when a hacker elicits information or influences action via the telephone. Like phishing, these attackers’ goal is to gather valuable information that could compromise your firm’s company data. The spoofer may forge their caller ID to pose as a legitimate business or colleague.
No. 6 – Tailgating. Tailgating is when an authorized person physically stalks an employee to gain access to a restricted area. A common example is when the criminal asks an employee to hold the door or elevator, claiming they forgot their ID card. Or they may ask to “borrow” a laptop or phone for a few minutes, during which time the hacker installs malicious soft ware or steals data.
Training employees is a critical component of your security plan. Employees need to be educated on how to spot malicious attacks, and what to do if they are suspicious of an email or phone call received. The best security technology is only complete if your employees understand their role in safeguarding company data. Dave Kinsey