The business world’s increasing reliance on information technology, combined with the rapid pace of new developments, means more opportunities for malicious actors to exploit vulnerabilities.
One emerging concern for businesses is social engineering, where individual employees are deceived into divulging confidential or personal information that can compromise the security of the entire organisation with potentially serious legal, financial and reputational ramifications.
Social engineering methods prey on human trust and gullibility, frequently targeting individuals via email or social media platforms, which is why it is critical that businesses arm their employees against the evolving nature of cyber threats with heightened awareness and ongoing education.
What is social engineering
Social engineering in cybersecurity typically occurs through psychological manipulation and IT-based phishing attacks. In psychological manipulation, attackers might impersonate someone trustworthy to lure targets to malicious websites that infect corporate networks. Phishing attacks often aim to acquire banking details, resulting in financial theft.
Social engineering attacks employ various tactics, some of them more well known than others, so ensuring your employees are aware of all of them is one of the best ways to help protect them and safeguard your business.
Pretexting is when the con artist gains a victim’s trust, typically by creating a backstory that makes them sound trustworthy. It is often used at an early stage of more complex social engineering attacks. However, it can also be as simple as providing a false justification for asking them to do something, for example, impersonating IT Support and asking for a password.
Baiting encourages the victim by using a lure such as a USB flash drive infected with a key logger (a form of malware that keeps track of and records keystrokes as a person types) left on a desk.
Quid Pro Quo involves asking the victim to give a password in return for financial gain.
Tailgating is where a person follows someone into a sensitive area, using a device to copy the identity of a Radio Frequency ID pass.
Water-holing is where the hacker takes advantage of trusted websites people regularly visit.
Phishing involves trying to acquire usernames, passwords and credit card information by masquerading as a trustworthy organisation via bulk email which tries to avoid an IT system’s spam filters.
Spear Phishing is a focused attack via email on a particular person with the goal to penetrate the organisation’s defences.
Honey Trapping is using a trick to encourage men to interact with a fictional female online.
Scareware / Rogue Security Software is a form of malware that encourages the user to pay for the fake or simulated removal of malware.
Whaling is a type of phishing attack that exploits the influence of senior executives over lower-level roles, such as CEOs over financial executives or assistants.
Pharming where individuals are redirected to a malicious site that impersonates it by exploiting system vulnerabilities that match domain names with IP addresses.
Vishing / Voice Phishing is an attack that uses the phone. Often the person receives a recorded message telling them their bank account has been compromised. The victim is then prompted to enter their details via their phone’s keypad, giving the perpetrator access to their accounts.
What to teach employees to look out for to avoid exploitation
To combat social engineering, companies must train their employees to recognise psychological triggers and other warning signs. Encourage healthy skepticism that leads staff to err on the side of caution and check with a colleague or supervisor when they encounter anything that is slightly suspicious, rather than acting out of haste or fear.
Some of the key security habits that employers should champion include:
- Staff should be cautious of unsolicited communications
- Meticulously verify email sources
- Check for spelling or grammar mistakes in emails, names and domain names, and if in doubt confirm the sender’s identity
- Suspicious attachments should never be opened
- Sensitive information should only be shared after thorough verification
- Check website security before submitting information, even if it seems legitimate
- Pay particular attention to URLs and sites that look genuine, but web addresses are subtly different from the legitimate site they are seeking to imitate
As humans are the target, make sure to engage with employees to:
- Build awareness and a positive security culture
- Test the effectiveness of guidance and training
- Reinforce technological cyber security measures
Organisations should also establish a robust cyber threat strategy, which includes evaluating the effectiveness of security protocols and enhancing technological cybersecurity measures.
Our highly trained team of qualified and experienced risk consultants work with clients across the UK to improve their understanding of their risk exposure and develop bespoke programmes that are developed to meet each client’s individual needs and requirements.
Contact our team today to discuss how we can assist you with building a robust organisational defence against cyber threats.
