Social Engineering Threats
Phishing exploits are on the rise
Last updated Monday, December 10, 2018
Over the years, networks and cloud services have become much more hardened against common forms of cyber attacks. To combat these tougher defenses, attackers have shifted their focus to the people who already have access and, as usual, they're targeting companies that make it easy. It's become so big we've dedicated an article just to this one method of exploitation.
What is Social Engineering?
Social engineering, also known as Phishing, usually involves targeting people via email, regular mail, phone, fax, text message and/or social networks. By forging identities and creating credible content, it’s possible to fool people into handing over their usernames, their passwords and - in some cases - company data and/or funds.
Most people know by now that a Nigerian Prince really doesn’t want to give them money. But the busy Accounts Receivable employee who receives an invoice from a known vendor, the HR Manager who opens an infected attachment, the Office Manager who receives an unsolicited domain renewal request or the CFO who receives a change request on a pending financial transaction might not always catch the scam.
Confirm Requests by Phone
Attacks are especially effective when the communication appears to come from someone the recipient knows. This is called Spear Phishing (or Pretexting) and it’s very effective. Professional criminals are good at what they do. By using public social network posts, spyware and previouslycompromised data, they can build a pretty good profile of their target. Opening with this information lowers the victim’s defenses and makes them less suspicious. “Hey Bob, how was that fishing trip this weekend?” or “I hope you enjoyed your trip to Vegas last month” are great ways to fool people into believing this person already knows them, and therefore is more trustworthy.
Other Things to Consider
Masking methods (for example, using password managers so your users don’t even know their passwords) and adopting internal policies requiring multiple levels of approval before funds or data are released - even to internal parties - can help prevent phishing.
Protect your identity with DKIM, SPF and DMARC policies to severly restrict the ability of attackers to send email appearing to originate from your domain.
Developing verification policies for requests that involve data or financials is essential, along with deploying a solid Advanced Threat Protection (ATP) service.
You can also enroll your employees in a Phish Testing service to help discover weaknesses and train them on what to do when a scam arrives via email.
We can help. Contact us today.
Filed Under: Security