In 2004, the Department of Homeland Security and the National Cyber Security Alliance launched National Cyber Security Awareness Month as a broad effort to help Americans stay safe and secure online. 2019 celebrates the 16th anniversary of this initiative, which continues to build momentum across the globe. The strategic focus of CyberSecurity Month now promotes personal accountability, proactive behavior in digital privacy, security best practices, and common cyber threats. This extends not only to individuals but to businesses and other bodies too.
What’s more, with various data breaches hitting the headlines this year, the importance of bringing attention to cyber security best practices has never been greater. As more and more elements of our daily lives become digital, from healthcare records to financial transactions, the challenge of mitigating the risk of cyberattacks associated with the swell of data is something that must be prioritized. Failure to do so for businesses, will lead to the loss of revenue due to operational disruption and a diminishing of customer trust.
As part of this conversation about enabling strong cyber security policies in business, it is crucial that companies are aware that their staff need to be properly trained to spot signs of social engineering. However, according to a report by Osterman Research, 6% of employees they surveyed had never received any security awareness training from their employer. From this it is easy to see how an employee may be unable to recognize social engineering attacks. The ease at which they could be tricked into giving confidential information away, such as their login details, or allow a hacker to spread malware through the system with fake website links, therefore poses a significant problem for businesses.
To further highlight this point, a recent study by US telco Verizon found that of the 41,686 security incidents, including 2,013 confirmed data breaches, recorded in 2018, 33% included social attacks.
To successfully carry out a social engineering attack, a hacker impersonates an individual and simply manipulates someone into revealing confidential information. These attacks do not require a particularly impressive skillset for a hacker, and may seem obvious, especially in hindsight, but their success lies in their simplicity. In addition, the availability of phishing kits and the rise of ransomware-as-a-service (RaaS) has given wannabe hackers an easy opportunity to enter the market and compete with sophisticated criminal organizations.
To help protect yourself and employees from a social engineering threat here are a list of six techniques that should raise red flags if you spot them.
- Connecting to the target
Hackers seeking to use social engineering will often try and find something in common with their victim in order to make them feel comfortable enough to share information. Therefore, an attacker will perform research and reconnaissance on the target. One common tactic of social engineers is to focus on the behaviors and patterns of employees with low level but initial access, such as a security guard or receptionist; hackers can scan the person’s social media profiles for information and study their behavior online and in person. From there, the hacker can design an attack based on the information collected and exploit any weaknesses uncovered.
- Time sensitive requests
If the hacker manages to build a relationship with an employee, they will then proceed by lying to gain access to the privileged data the employee holds. For example, the attacker may pretend to need personal or financial data in order to quickly confirm the identity of the recipient, or send an email that says “I’ve got a presentation in five minutes and I can’t remember my login details”, baiting their victim to give up theirs.
- Requests from the Boss
To carry out social engineering attacks some hackers choose to impersonate their victims’ boss. This method is often highly successful as a request coming from a superior is less likely to raise eyebrows. Indeed, the UK boss of an unnamed energy firm was recently tricked into transferring £200,000 following a phone call from that appeared to come from his boss at the German parent company.
- Asking for favors
Having built a connection with their target, the hacker will ask for seemingly trivial favors. “Could you download this file for me? It won’t open with my version of the software”. This link will then install malware that allows the hacklers access to the enterprises’ network.
- Utilizing a herd mentality
Hackers know you don’t want to be the odd one out, and you certainly don’t want to be that awkward employee, who is singled out for not doing something correctly. Using this, a hacker will routinely encourage you to follow other employees, often adding some time pressure into the mix, by saying things like: “Everyone else has done this – you’re the last, so please respond now.”
- Scare tactics
One final method that can be successful when it comes to installing malware is to trick the victim into thinking their computer has been infected with malware or that they have inadvertently downloaded illegal content. Then, the hacker will offer the victim a solution that will ‘fix’ the problem. However, this actually turns out to be the malware the victim was trying to get rid of.
Security awareness training can also go a long way toward preventing social engineering attacks. If people know what form social engineering attacks are likely to take, they will be less likely to become victims. On a smaller scale, organizations should have secure email and web gateways that scan emails for malicious links and filter them out, thus reducing the likelihood that a staff member will click on one.
We are proud to be a champion for National Cyber Security Awareness Month, and will continue to demonstrate our commitment to cyber security. There are many ways you and your business can get involved, including posting online safety tips and reminders about National Cyber Security Awareness Month on your social networks, and holding sessions to remind employees of signs to watch out for. In addition, if you would like more information on our enterprise data protection solutions you can visit our web page.