According to a 2018 Small Business Trends survey, 58% of all cybercrimes committed last year targeted small businesses, and most of these crimes came in the form of a “social engineering” attack. Social engineering is a mode of cybercrime that’s used to lure well-meaning individuals into breaking normal security procedures. These attacks appeal to their targets vanity, authority or greed to exploit and steal from their victims. Even a simple willingness to help can be used to extract sensitive data. An attacker might pose as a coworker with an urgent problem that requires otherwise off-limits network resources, for example.
These attacks can be devastatingly effective, and extremely difficult to defend against.
The key to shielding your network from this threat is consistent, ongoing awareness throughout your organization. To nip one of these scams in the bud, every member of your team must remain alert to these five telltale tactics criminals use to get into your head, and steal your data:
- Clickbait. A particularly popular approach is to capitalize on the innately human desire to crane one’s neck to see an accident on the side of the road. What if you came across a video link to view an ugly accident, or a three-headed baby? You just might be tempted to click, especially because many legitimate articles and other pieces of content use similarly eye-catching headlines to get people to look at their stuff. Cybercriminals get this, and they exploit it. So, beware of links to overly graphic terrorist attack images, natural disasters, and other tragedies.
- Phishing. Phishing employs a fake e-mail, chat or website that appears legit. It may convey a message from a bank or other well-known entity asking to “verify” login information. Another ploy is a hacker conveying a well-disguised message claiming you are the “winner” of some prize, along with a request for banking information. Others even appear to be a plea from some charity following a natural disaster. And, unfortunately for the naive, these schemes can be insidiously effective.
- Pretexting. Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity.
More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organization or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.
Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.
- Watering hole attacks. One of the things cybercriminals do best is collect information about their targets. Browsing habits tell a lot about a person, which is why that ad for wreath hangers keeps popping up in your Facebook feed. Cybercriminals use this information the go after the sites most visited by their target group. Once they discover a particular website is popular with their targets, they infect the site itself with malware.
- Tailgating. Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.
In a common type of tailgating attack, a person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorized to enter the company.
Tailgating does not work in all corporate settings, such as in larger companies where all persons entering a building are required to swipe a card. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk.
- Ransomware. Ransomware is nasty business. It’s also social engineering at its finest/worst. Ransomware is a type of malware that holds your files or part of your system ransom. In order to return access, you have to pay cybercriminals. People who want their precious data back might pay up right away. But for those who need additional scare tactics, criminals have come up with law enforcement scams that make it appear as though the U.S. Department of Justice or FBI Cybercrime division are contacting you to claim that you’ve done something illegal.
- Quid Pro Quo. Here a con artist may offer to swap some nifty little goody for information… It could be a t-shirt, or access to an online game or service in exchange for login credentials. Or it could be a researcher asking for your password as part of an experiment with a $100 reward for completion. If it seems fishy, or just a little too good to be true, proceed with extreme caution, or just exit out.
One of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates.
So what steps can you take to prevent these psychological attacks? Here are a few methods to start with:
- Equip yourself with antivirus, anti-malware, and anti-exploit security programs. These can fight off malware attacks from a technical standpoint.
- Anonymize your data by using the privacy features of your browser. It’s also a good idea to clear cookies every once in a while.
- Lock down privacy settings on social media accounts. Make sure you’re making information available only to those you wish to have it.
- Use the right software and hardware systems. If you just use your computer to surf the web, you probably don’t need a powerful processor or the Adobe suite. Consider this: the more applications and programs you install on your machine, the more sources of trouble you have built into your system.
- Have a company security policy in place and back it up with good awareness training. Give employees clear guidelines on the appropriate response to a particular situation, such as those 7 nasty demons described above.
- Take personal ownership of your IT security; remember your personal data might be as much at risk as company business.Treat company data with the same care you would of your own assets.
- Finally, and most importantly, use common sense. A healthy dose of skepticism goes a long way. Verify information. Contact the claimed source. Make sure you have professional IT support to protect your systems, provide training and guidance, and keep you up-to-date with the latest cyber security protection tools and tactics.
This downloadable cheat sheet identifies THE Red Flags you need to be on the lookout for in EVERY email you receive. Get yours now.