How to avoid a social engineering and phishing attack?
Social engineering is a specific kind of cyber security attack where the attacker relies on human interaction to gain access to an organization’s sensitive information or infrastructure with the intention of doing harm from within. The attacker may appear friendly or unassuming, typically relying on normal social convention and common courtesy to gain the trust and bend the will of their victim.
These attacks range in scale and quality and can be both off- and online. For example, an offline attacker might pose as a security maintenance professional or janitor, using their credentials to access a restricted server room where they can then launch an actual cyber attack or data retrieval operation. An online attacker might attempt to retrieve information digitally by sending targeted emails from a spoofed email address or fraudulent account that appears to be legitimate.
Gone phishing, a new social engineering threat.
Phishing schemes have become more closely associated with social engineering over the last several years. Phishing is the practice of soliciting seemingly innocuous information to infiltrate and compromise critical components of the organization.
For example, an attacker might set up an office-wide poll asking for an employee's “funny name,” consisting of their mother’s maiden name and home street address. While seemingly innocuous, these two pieces of information can be used to deduce company passwords, steal identities, and create other access points into the organization.
Often the attacker will go to multiple sources to collect different pieces of information, which can later be “assembled” to form a broader view of the organization’s infrastructure and weaknesses. In these cases, the social engineering scheme relies both on the credentials and apparent legitimacy of the attacker and the willingness of the victim to participate.
Important information collected during a phishing attack can include:
- Personally identifiable information such as names, addresses, phone numbers, and birthdays
- Company IDs, photos, seating locations, office locations, and account login identifiers
- Job description and information, close contacts, and the names of managers or direct reports
The safest and easiest way to prevent a social engineering attack is to identify the attacker early and refuse to engage. Below is a list of tell-tale signs of social engineering and phishing schemes that can be easily identified:
- Messages from strange or suspicious email addresses or domains
- Messages with generic greetings or auto-filled names and addresses, company policies, or instructions
- People with difficult to identify or low-level credentials that might not require formal registration (including maintenance teams, janitorial staff, building security, or fire and life safety administrators)
- People claiming to “know” someone within the organization, asking for “help,” or offering a story of some hardship or challenge meant to elicit sympathy
- Messages with suspicious hyperlinks to external websites
The Bottom Line
Unfamiliar parties should be greeted with increased scrutiny and skepticism, particularly when they claim to have some shared association with the organization. Organizations have policies and procedures that employees MUST follow, and a well-intentioned person will understand this. When dealing with someone suspected of engaging in social engineering, the employee must be as specific and direct as possible. They should ask to see specific credentials and then have those credentials verified independently by a trustworthy source within the organization.
Employees should NEVER provide personal information to a third party or contact that has not been verified as legitimate.
As an Organization Owner
Proper security awareness and training are critical for your employees. It takes skill and thought to identify the best social engineering attacks as they are duplicitous by nature. However, even the best training may not be enough to overcome this growing threat.
We recommend considering a cyber insurance policy with coverage for social engineering threats. These policies can range in scale and are often the most comprehensive, protecting an organization not just from the direct financial loss relating to a social engineering scheme but also from many of the indirect costs, including lost revenue from a damaged reputation, customer apprehension, and diminished growth prospects. Business owners can use GetCyber to find cyber insurance coverage and obtain high-quality and quick cyber quotes. GetCyber offers several benefits over traditional cyber insurance brokerages, including the ability to:
- Obtain instant quotes from the 6 Top Insurers
- Find up to $3M in Insurance coverage automatically
- Receive a plan with customizable and comprehensive coverage
- 24/7 support
As a business owner, it is up to you to assess the amount of acceptable risk for your firm. While this is no easy task, GetCyber is here to help. Get a quote today by visiting us at www.getcyber.com