Despite the rise of automation and artificial intelligence technologies, the vast majority of business that gets conducted relies on some sort of human interaction or connection. Employees are an organization’s greatest asset, but also remain every organization’s weakest link when it comes to defending against a cyber breach. You can implement the latest firewall technology and employ a genius Chief Information Officer, but if all staff members aren’t aware of the types of scams that cyber criminals are trying to pull, then chances are your organization could fall victim to a social engineering attack.
What is social engineering?
Simply put, social engineeringis a form of psychological manipulation that targets the user rather than the computer itself – and it’s proving to be very effective for cybercriminals. It plays on our universal human traits of fear, trust and conformity to get access to information, all without hacking into a system or cracking a code or password.
Your first line of defense might be to invest in antivirus software and firewall (software and physical versions) with intrusion detection capabilities – and that’s a great start. But that won’t account for human weaknesses, like a lack of attention to detail or an all too trusting nature.
The impact on your business
If organizations don’t take measures to educate and train their employees on social engineering tactics, it’s more likely that they’ll fall for scams, get hacked, experience a breach and become the victim of fraudulent wire transfers. Any of these events can be incredibly costly and could impact the company’s reputation. And this can be repeated multiple times if the bad guys find a ‘good victim’. In addition to the monetary impact, being scammed doesn’t feel good and can take an emotional toll on your employees.
Phishing is a technique where cybercriminals send fake emails, texts or websites that look like legitimate correspondence to manipulate employees into gaining access to corporate systems or information. It uses social engineering tactics by deceptively preying on employees’ emotions and relying on them to mistakenly hand over access to target information.
A phishing breach usually occurs when a hacker gets the structure of an organization’s email addresses and then sources a list of names of company employees, usually from LinkedIn or the company’s own website.
Similarly, a cybercriminal could get the log in details to a company executive’s email address and send out emails to other employees directly from that account. They could then either request sensitive information or ask them to send wire transfers on behalf of the company. In many cases, the employee receiving that email will think the request is legitimate and provide the sensitive information or transfer the funds.
Another form of phishing sees hackers send out emails – again appearing to be from a legitimate email address – containing a link or attachment.
That link can do a couple of different things: it can send them to a web page with a form which asks them to provide personal information, it can include spyware to gather information on the company (and its employees and clients), or it can include a ransomware file attachment which activates when downloaded. That file will encrypt the files on the user’s computer and only unencrypt them when a ransom is paid to the criminal’s bank account.
Tips to protect your business
Social engineering is something that can be mitigated if employees are well educated. Your first line of defense might be to invest in antivirus software and firewall (software and physical versions) with intrusion detection capabilities – and that’s a great start. But that won’t account for human weaknesses, like a lack of attention to detail or an all too trusting nature. That’s why it’s so important to educate employees on social engineering and phishing, and the specific tactics they should look out for. This can help foster a culture in which employees are alert and cautious with information whether they’re online or in-person.
Encourage employees to follow the steps below to reduce the chances of social engineering impacting your organization:
- Avoid opening emails from unknown email addresses
- Create better, stronger passwords – and change them regularly
- Avoid less than reputable internet sites, web and smartphone applications
- Cut down on the amount of biographically accurate information you divulge online (e.g. listing your birthdate on social media)
- Only use trusted sites when online
- Don’t click on links you’re sent. Instead, open the webpage on your own by typing in the URL yourself to make sure you’re going to a legitimate site and not a phishing scam site
- Log out of Facebook and other social media accounts when you’re not using them and before you close your browser window
- Don’t choose “save my password” or “remember me” when logging onto any type of account, as these credentials can be stolen by hackers
- Follow the company’s “new vendor/account change” protocol to verify clients before sending wire transfers above a certain predetermined threshold. This could involve requiring employees to call vendors (using the phone number in your files, not the one in the email) before making the transfer.