Social Engineering Attacks

Cyber-scams that Exploit the Weakest Link: Us

What is social engineering?

Your office phone rings one busy morning and you pick-up. The guy on the other line introduces himself as “Dave from IT.” You don’t know Dave from the IT department, but you don’t have time to confirm his identity. Maybe he’s a new hire. “Dave” asks for your login credentials so he can update your security software, which you give him. After all, your IT department is always updating something and you have other things on your mind.

Unfortunately, your security software is not being updated, “Dave” is not a member of your company’s IT department, and you’ve just opened your company up to a world of problems. You’re the latest victim of a cyber-scam known as “social engineering.”

Cybercriminals employ social engineering as a means of manipulating people into giving up confidential information. These criminals use this tactic to obtain a wide range of information, most commonly passwords or access codes, bank information, or direct computer access. They can secretly install malicious software that will provide them access to your passwords and other sensitive information, as well as give them control over your computer.

A growing threat to organizations.

Social engineering attacks are nothing new to the world of cybersecurity. Pioneering hacker-turned-security guru Kevin Mitnick popularized the term in the mid-90s, though the techniques of social engineering have been around as long as there have been con artists. Today, social engineering scams target organizations of all sizes in the public and private sectors and every industry.

As cybersecurity tools and practices have become more sophisticated, so have social engineering tactics. As with other types of cyberattacks, social engineering scams increasingly target smaller businesses. Such entities typically have fewer resources at their disposal and small-business personnel are less likely to be trained in policies and behaviors to help them spot and prevent social engineering attempts. In fact, 60 percent of small businesses say they have been targeted by social engineering scams, while only 14 percent believe they have the resources or ability to effectively block such attacks.

While smaller entities have historically borne the brunt of social engineering attacks, lately there has been a significant uptick in the number of such attacks aimed at government contractors. The global COVID-19 pandemic has exacerbated the situation by providing new opportunities for hackers to exploit, resulting in a 600 percent increase in overall cybercrime. During the last year, 43 percent of IT professionals said they had been the target of social engineering schemes. With so much information available online, particularly through social media, organizations and individuals who fall victim to social engineering have more at stake than just financial losses, including loss of reputation and the possible legal ramifications of exposing sensitive data.

Who is at risk? Everyone!

To illustrate the scope of these attacks and show that no one is safe from them, one only needs to look at the growing list of high-profile breaches that have occurred as a result of social engineering. One recent scam took advantage of anxiety over the current COVID-19 pandemic with an e-mail that claimed to originate from Vice President Mike Pence. Recipients were prompted to click a link to download important information, but the link actually downloaded malware that exposed their systems and personal data. This is just one example of how social engineering can exploit current events and user anxiety to catch potential victims off-guard.

Social engineering does not require sophisticated tools, only a knowledge of computers or programming skills, which is precisely what makes it so dangerous. Digital threats like malware can be countered with software, hardware and other security tools. Social engineering targets a cyber-defense’s weakest link, the human element. Such was the case in 2015 when a 15-year old hacker was able to con his way onto the online accounts of then CIA Director John Brennan, FBI Director Mark Giuliano and Homeland Security Secretary Jeh Johnson. The young cybercriminal made off with classified government documents, reset personal iPads, and even hacked Johnson’s home television to display taunting messages.

Tips to avoid social engineering scams.

To counter the social engineering efforts of hackers, organizations need to look to the same vulnerabilities these cybercriminals exploit — the human factor. This begins with creating a cyber-culture within your organization that prioritizes cybersecurity. That means training employees to spot and avoid cyberattacks, including social engineering ploys. Staff should be encouraged to report any suspicious activity. Cybersecurity experts estimate that only three percent of targeted users report suspicious emails to management or their company’s IT team. In addition to training staff to recognize and report social engineering attempts, organizations should adopt policies and procedures to mitigate such attacks and ensure those policies are enforced.

One recommended policy is to ensure all collaborative software used within an organization is secure. The popularity of online meetings through platforms like Zoom have made them a tempting target for social engineering hackers. Users should be required to follow these best practices for online meetings:

• Only use agency-approved software and tools
• Require a password for all meetings
• Provide meeting links directly to participants and monitor attendees
• Manage screen-sharing, recording, and file-sharing options
• Consider the sensitivity of data before exposing it to video conference and collaboration

Other best practices to combat social engineering scams include verifying e-mails before clicking links, downloading attachments, or responding with providing personal or sensitive information. Double-check addresses and names for typos and have e-mail filters in place to block spam and phishing attempts.

Another best practice to pass on to staff is to avoid posting personal, work-oriented, or other sensitive information in public spaces, such as on social media platforms. This is the kind of data that a scam artist will exploit in social engineering attacks.

Finally, be aware of what data and sensitive information your company uses and shares in its day-to-day operations. Make sure information shared with third-party vendors is secure. Social engineering artists will often impersonate business partners, financial institutions, and government representatives to con you or your employees.

Best practices for trying times

We are living in chaotic and unpredictable times, and cybercriminals continue to exploit the current state of disarray. Now more than ever, individuals and organizations need to be vigilant to protect themselves from those who would exploit confusion and panic. It’s critical for you to protect your company’s sensitive data and create a culture of security that can be implemented by employees and associates for the long-haul.

Valeo Networks (Valeo Networks) is a seasoned information technology company that delivers best-in-class, 24/7 managed IT services and solutions for small to medium businesses. As we continue to expand our national reach, Valeo Networks strives to be the leading IT solutions and services provider, giving businesses peace of mind in knowing that their most critical asset, their data, is protected by the best in the business. Contact us today for a FREE consultation.