Would these social engineering techniques fool your employees?
Posted: Tue, 19 Apr 2016 16:09
To celebrate the release of two new cybersecurity Take 5 modules, Understanding Social Engineering and Phishing Awareness, we help you determine your company's social engineering risk level.
Cybercrime is big business. Hacked or leaked datasets go for £1000s on the dark web's black markets, and that's just those containing names and email addresses. A recent McAfee report shows that more sensitive records – with addresses, passwords, national insurance numbers, bank or credit card details – are sold for upwards of £25 each.
This makes your business data a potentially lucrative target for cybercriminals - and with fines for data breaches soaring lately, you simply can't ignore cybercrime risks.
When you think of cybersecurity, the first things that come to mind are probably hardware and software, and while it's true that hackers would be quick to exploit any vulnerability found there, they have a far higher hit rate when focusing on exploiting people through social engineering.
Wondering if your organisation is at risk? Ask yourself the following questions to determine how well versed on social engineering your employees are…
Q: Would your employees download software, plug in USB sticks or insert DVDs without confirming they're from a trustworthy source?
If yes, they're at risk of baiting, a technique hackers use to trick people into downloading malware, which can then capture confidential information.
Q: Would employees verify their identities by providing sensitive information such as password, date of birth or national insurance number over email, text or telephone in order to fix an urgent issue?
If yes, they're at risk of phishing, which involves hackers using official-seeming communications to attempt to gain confidential information.
Q: Would employees question a communication that was personally directed to them and included details their like address, phone number or date of birth to back up its authenticity?
If yes, they're at risk of spear phishing, a technique which targets individuals or organisations with tailored communications including personal information, often obtained via other social engineering techniques, in order to seem more trustworthy.
Q: Would employees challenge someone phoning them up from the bank, payroll, HR or the government and asking them to update their records?
If not, they're at risk of pretexting, which is what it's called when hackers pretend to be someone else in order to obtain information they can use to steal people's identities.
Q: Would they try and fix their computer themselves if they received an error message telling them of issues with it?
If yes, they're at risk of scareware, which displays an alert telling users they need to download software to fix issues. While there aren't any issues to begin with, there certainly are once the 'fix' is downloaded.
Social engineering poses multiple risks, and hackers are always coming up with new techniques. To prevent your employees becoming victims, you need to increase awareness and create an alert, vigilant culture. Follow these steps to protect your business from social engineering:
- Install and regularly update antivirus software
- Install, configure and regularly update a firewall
- Make sure employees read all emails carefully before responding; especially those containing links or attachments
- Train employees to identify when a link is pointing to a different website to the one it should do
- Ensure employees don't click links or open attachment until they have confirmed they are safe
- Encourage employees to use search engines to access web links, rather than clicking them directly in emails
- Train employees to recognise falsified email addresses and verify emails by contacting the sender via their switchboard
- Make sure employees never give out financial or sensitive information over the phone
- Encourage them to ignore all requests for financial help or requests claiming they can help them financially
- Discourage them from sending sensitive information electronically without a secure connection, to a known person, using encryption where possible.
Following these steps will reduce the risk that social engineering poses to your organisation, as well as your employees.
We now offer two new Take 5 micro-learning modules to protect your business from social engineering. Understanding Social Engineering provides awareness of the various techniques which put your organisation's information at risk. Phishing Awareness goes into more detail about the various tactics hackers use to attempt to access confidential information that could be used to steal employees' identities and compromise your data. Both modules feature an end-of-module assessment to test learners' knowledge, and can be completed in just five minutes.