This last month I served on jury duty and watched as one of the evidence presented was a pretext phone call. Later that same week, I received a cybersecurity training email that taught me about pretexting as a form of social engineering. Who would have known that my cybersecurity awareness training could have real-life implications in the courtroom!
Social engineering is a type of crime that manipulates people into giving up their confidential information to bad actors. The theory behind social engineering is that humans have a natural tendency to trust others, which makes it easier to trick someone into divulging personal information than it is to hack an account. Due to the overwhelming lack of cybersecurity awareness training available to most employees, social engineering continues to be successful. Here is a quick overview of common social engineering scams to help you spread awareness of this tactic and fight back.
Phishing is a leading form of social engineering delivered through email, chat, web ad, or a website designed to impersonate a real system, person, or organization. Phishing messages usually deliver a sense of urgency or fear with the end goal of capturing an end user's sensitive data. A phishing message might come from a bank, the government, or a major corporation.
The call to action varies. Some ask the end user to "verify" their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the recipient is the "winner" of a grand prize or lottery and request access to a bank account to deposit the winnings. Some ask for charitable donations (and provide wiring instructions) after a natural disaster or tragedy. A successful attack often culminates in access to systems and lost data. Organizations of all sizes should consider backing up business-critical data with a business continuity and disaster recovery solution to recover from such situations.
Baiting, like phishing, involves offering something enticing to an end user in exchange for login information or personal data. The "bait" comes in many forms, including digital--such as music or a movie download, and physical--such as a corporate flash drive labeled "Company Payroll" that is left on a desk for an employee to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users' system, and the hacker can get to work.
Pretexting, which is what I witnessed in the court case, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user to access login information. An example of this type of scam is an employee's email that appears to be from the head of IT support or a chat message from an investigator who claims to be performing a company audit. Pretexting is highly effective as it reduces human defenses to phishing by creating the expectation that something is legitimate and safe. Pretexting emails are particularly successful in gaining access to passwords and business data, and because of this, it is essential to have a third-party backup provider.
Scareware bombards with false alarms and fictitious threats. Users believe their system is infected with malware, prompting them to install software with no discernible benefit (other than for the perpetrator) or malware itself. Scareware is also referred to as deception software, rogue scanner software, and fraud ware.
A common scareware example is the legitimate-looking pop-up banners appearing in your browser while surfing the web, displaying such text as, "Your computer may be infected with harmful spyware programs." It either offers to install the tool (often malware-infected) for you or will direct you to a malicious site where your computer becomes infected. Scareware is also distributed through spam email that doles out bogus warnings or makes users buy worthless/harmful services.
Social engineering attacks are both sneaky and prevalent. That makes it critical for everyone to stay aware of the threat. Here are some things to review with your IT team or provider:
- Implement a cybersecurity training program in your organization so everyone is aware of the problems that can affect the company's computer network. Then hold your team accountable to participate in this training.
- Always use two-factor authentication (2FA) in your company to provide that extra layer of security that will help maintain your network integrity.
- Secure your computing devices and accessories. This means protecting your digital space with anti-virus software, firewalls, and email filters and make sure they automatically lock after a brief period. It also means securing flash drives, external hard drives, and other pieces of equipment that could be compromised.
- Backup all your important data. Have a robust backup and recovery system in place and make sure that it is working correctly.
Adept Solutions wants to help your company be cyber secure. We can help train your team in the latest cybersecurity attacks that put your business at risk. Call our office for more information, 530-751-5100.