Social engineering is more popular than ever. Why? Simple—it works, and it works well. From Odysseus' Trojan Horse to the modern business attack, the art of manipulating human decision-making is a timeless threat. Easy access to the Internet empowers malicious actors with the intelligence, tools, and anonymity they need to develop effective campaigns. Whether you are a small business or a Fortune 500 company, you and your employees will likely face this threat and must remain on guard to defend against it.
Malicious actors target businesses daily and try to illegally access their systems. One common tactic is phishing.
How Phishing Works
In a phishing scam, the attacker sends emails that looks like they are from a trusted source like your bank, insurance company, employer, cable provider, etc. The message tells you that some sort of action is required and then prompts you to click on a link or open an attachment. Many times, attackers will use messaging that invokes fear or panic. For example: "We've identified fraudulent activity on your account. Click here to review your recent transactions and report anything you believe is fraudulent." Attackers hope that your first reaction is to click on the link to resolve the issue as soon as possible. However, they may also use tactics that invoke excitement with messaging like "You've won free concert tickets. Click here to claim your prize!" to encourage you to act now.
If successful, the attacker may install malware on the recipient's computer or steal information. Once a computer is compromised, the attacker may expand their access to other computers. Attackers may also manipulate the recipient into doing something harmful like transferring funds. If unsuccessful, the attacker will adjust the attack until they reach their objective. In other words, the attacker will continue to "phish" until someone takes the bait.
To protect your company, you may use several methods to prevent successful phishing attacks:
- Configure your email security gateway to block attempts that come from known threats.
- Arm your employees by implementing mandatory security education training, so they know how to identify and react to social engineering attempts.
- Allow your employees to report phishing attempts directly from their email software.
- Use tools to send fake phishing messages to test and train your employees.
Social engineering will continue to target human decision making and prey upon the victim’s tendencies. Therefore, it is important to continue to identify new threats and ways to lower your risk of experiencing social engineering attacks. It is important to remember that while technical methods may help lower risk, educating individual employees remains the best defense. With faced with a threat from email or on the phone, you and your employees are the last and best line of defense. You and your employees must all remain suspicious of email messages, and not follow a hyperlink or open email attachments unless it is from a known, trusted the source. As always, think before you click!
Remember what to look for:
To identify a phishing attack, please look for one or more of the following indicators:
- Unsolicited email messages requesting sensitive personal or company information • Requests from unknown or spoofed senders to click on hyperlinks or open attachments
- Spoofed message from someone you know to act on their behalf or complete a task
- Warnings or threats with offers of quick fixes by following a link or installing software
- Offers, promotions, or notices that prompt you to claim rewards, winnings, or prizes
- Messages with spelling or grammar errors with abnormal business or personal language
While not an exhaustive list, these indicators may help you identify an attack. To conclude, cybercrime happens every day, and it's up to you and your employees to protect your business and your customers. While the steps outlined above are not an exhaustive list of all the precautions you may take, we hope you will use this information as a starting point to help lessen the likelihood of a data breach.