This June, over 10,000 people were duped by a phishing email that masqueraded as a power bill from AGL Energy. The email looked almost identical to the real thing, but when recipients clicked on the “View Invoice” link provided, malware was delivered instead.
This, unfortunately, is just one of many successful social engineering attacks in Australia this year. In fact, last month a sophisticated phishing email purporting to be from Telstra stole thousands of account login and bank credentials from unsuspecting victims.
Social engineering, or the act of manipulating people into disclosing sensitive information, has proven to be one of the most effective tactics in a hacker’s arsenal. Social engineers don’t even need to be technically savvy to bypass the most effective firewalls and intrusion prevention systems. All it takes is a couple of emails or phone calls, and a convincing lie. And with the wealth of personal information willingly shared online, any mediocre scammer can pull off an informed and persuasive performance.
However, all is not lost. If you and your employees can outsmart the con artist, then your business can stand a chance against any social engineering attempt. Here are some tricks to protect your business from social engineers.
Use anti-phishing technologies
Anti-spam and web filtering defenses installed in mail gateways and end-user desktops is a good first step to outsmarting social engineers. Strong web filtering services block known malicious websites and redirect unwitting users to an empty “Blocked” page. Anti-spam software detects common social engineering email patterns and removes them from employee inboxes. Although these might not fully protect you from every kind of social engineering scam, they do reduce the chances of employees accidentally interacting with a potential social engineering attack.
Education is the best prevention
Deploying anti-phishing technologies may be important, but creating a comprehensive security awareness program is even more so. To your untrained employees, any email or phone call is an innocent one. And without knowing how to identify what a common phishing or vishing attack looks like, employees won’t be able to do their part in protecting your business’s network security.
Even though there are several techniques for social engineering attacks, there are often some tell-tale signs your employees should be aware of. Phishing attacks lure users into clicking a fraudulent link or downloading malware-ridden email attachments. Vishing (or voice phishing) attacks, use the immediacy of verbal communication to wring out valuable information from targets.
In most social engineering attacks, malicious actors will usually do one of two things to solicit sensitive information. They could entice users by offering them a chance to win a free iPhone or win some extra cash. Or, they can create a sense of urgency by manufacturing fake scenarios. This could be anything from alerting potential victims about unusual activity in their bank accounts to warning them about a problem with their computer.
Whatever the case may be, it’s important to empower your staff to be security-conscious at all times. No matter how compelling the request; train them to never give away login credentials, credit card information, or company data over email, phone, and especially, social media. Before entering any sensitive information on any website; your staff should instinctively make sure the site is secure by looking for a lock symbol and the ‘s’ in https on the URL bar. In similar fashion, if a credit card company calls about a compromised card, your employees should immediately know to hang up and dial the number listed on the back of the credit card.
Strengthen security against less conventional attacks
Although most scams are performed online, you also need to account for the social engineering ploys conducted offline. Take tailgating, for instance. Con artists can don a disguise — something like a delivery driver — and ask your employees to hold the door, thereby gaining unauthorised access to your company. To avoid this, stringent physical security measures must be deployed. Security guards should identify and record every individual attempting to gain access to restricted areas; and server rooms should be locked and surveilled at all times.
Sometimes, offline scams don’t even need to be as cunning. Social engineers can exploit human curiosity by simply leaving physical media lying around. Earlier this year; in fact, multiple Victoria residents were victims of a baiting attack after plugging in an unmarked; ransomware-infected USB drive. Obviously, the best response is to teach employees to resist the urge to plug suspicious items into computers; and, when you can, turn away any mysterious deliveries.
Security awareness is a journey
An important detail many businesses seem to miss is that security-awareness training is an ongoing process. One training seminar to defend against social engineering attacks will be effective for only a very short period of time.
As the social engineering landscape constantly evolves, hold periodic security awareness programs to warn employees about the latest scams. Think of this process like installing a human security patch. The more often you update; the more likely your employees will develop a healthy skepticism of emails, URLs, ‘special’ offers, phone calls, or downloadable files online.
Defending against social engineering attacks may be lower on the priority list for most businesses; but they can be just as devastating as any denial-of-service hacks and malware attacks, if not more so. According to a 2014 report from the Australian Bureau of Statistics, a successful social engineering attack costs approximately $23,000. And though some enterprises may be able to take the hit; most business that fail to prepare their employees for social engineering attacks are looking at a bleak future.
Security-awareness training can go a long way towards protecting your business from increasingly sophisticated social engineering attacks. But the challenge now is finding a trusted managed services provider that can help show you the ropes. Here at Empower IT, we’re not just a cloud services provider; we also have the capacity to help your employees prepare for any social engineering attack that might come their way. Outwit any scammer, protect your employees, and empower your business — contact our team today.