What is social engineering and how can it be avoided?
Phishing attacks are a menace to businesses in 2021. More specifically, social engineering tactics have played a large role in driving the number of successful phishing campaigns through the roof. While you will be familiar with phishing campaigns by now, what exactly is social engineering?
Social engineering is really about deception. Cyber criminals will do their research about you and your business, in order to understand your company’s hierarchy. This could be done through a company website or the LinkedIn pages of staff and other social media channels. This gives the cyber criminals the critical information that they need to make the most of breaching a business.
For example, cyber criminal groups will often target the executive team of a business with an excessive number of intricate phishing campaigns. The idea being that if they can successfully take over the account credentials of an employee in a more senior ranking position, they can then begin to use social engineering to their benefit.
The authority of the senior employee can be exploited through email and text communication. In recent cases Neuways has seen, cyber criminals have ordered staff to purchase thousands of pounds worth of vouchers that have then been handed over to the criminals – putting the business, and sometimes even the individual employee, out of pocket.
It is believed that new starters are even more likely to be targeted. Cyber criminals are targeting new starters to a business, via their updated LinkedIn profiles. These new starters will receive spoofing emails, which lead to instances like the voucher example.
Why new starters? Well, they are brand new to a business, and usually eager to please their new bosses. In the current climate with flexible working commonplace, they are unlikely to have met every colleague at their new job, with many introductions coming over Microsoft Teams, phone calls or email. As a result, they are often the perfect candidates for cyber criminals to target and take advantage of.
This example underlines why social engineering is growing in popularity with cyber criminals. Flaws in technology and software can be exploited, but are often few and far between, and are quickly patched by the software provider, giving attackers less opportunity to infiltrate businesses and exploit them for financial gain.
Human beings can be compromised with ease, especially if they are unaware of the tactics cyber criminals are using to fool them into giving up important information, such as username and password details.
Critically, social engineering can be the first step to a larger malware-driven attack. In gaining access to a business’ corporate network under the disguise of a trusted member of staff, it could be simple to instigate a devastating cyber attack. This could cause an organisation to experience significant periods of downtime, which can destroy businesses through financial losses.
How can you and your business avoid social engineering tactics?
Defending against social engineering requires you to practice self-awareness. Always slow down and think before doing anything or responding to any kind of communication you receive that requires urgent action. It is worth considering some of the following questions if you suspect an attack:
- Did the message come from a legitimate person? Study email addresses when getting a suspect message. There may be characters that mimic others, such as “email@example.com,” instead of “firstname.lastname@example.org.” Social media accounts that duplicate your colleague’s image and information are also common. Ask the sender if they were the true sender of the message in question – ask in-person or via a phone call if possible.
- Suspicious links or attachments? If a link or file name appears odd in an email, consider the authenticity of the whole communication. Also, consider the context of the message itself – is the sender wishing you a good morning, when it is the afternoon, for example.
In addition to these questions, you can also proactively improve your privacy and security. Online communications are where you are the most vulnerable. Social media, email, text messages are common methods of attack for cyber criminals.
A general rule of thumb when it comes to phishing campaigns is to never click on a link sent in an email. Never engage with any URL you are unsure is legitimate. Using multi-factor authentication can also add an extra layer of security to verify your identity upon logging into your account. This is often made up of biometric information, such as a face scan or fingerprint, or temporary passcodes sent via trusted phone numbers.
Using strong passwords and a password manager can also shore up your company’s cyber security. Each of your passwords should be unique and complex, but storing them in Keeper Password Manager with Neuways will help keep them safe and secure for your business to use.
If you want to avoid becoming the next victim of social engineering attacks carried out by cyber criminals, get in touch with the experts at Neuways on 01283 753 333 or email email@example.com.