Every day your inbox is bombarded with suspicious emails asking for sensitive personal or business information. Careless responses to these emails can have huge consequences to the unwary and lead to downtime, data breaches, and serious financial loss. These type of threats are considered social engineering, a term for manipulating people into doing something they would not normally do.
We talked with cybersecurity expert June Middleton about social engineering, its dangers, and how best to defend against them. Middleton is a former Information Security Manager for O’Reilly Auto Parts and Network Security Engineer for Jack Henry & Associates specializing in penetration testing. She is currently CFO and Director of Operations for North Point Church in Springfield, MO.
What does the threat look like?
Phishing emails are becoming more specific and tactical towards people because there is so much more personal information about us out in the world. We are seeing more corporate and CEO type phishing attacks against HR and financial staff members because the perpetrators will follow who has control of the money, and it’s paying off big for them.
Social engineering attacks not limited to email. Two other common methods of phishing that are used widely today are vishing (phishing by phone elicitation) and SMSishing (phishing by SMS text messages). Both have the same goals as more traditional phishing attacks, but smartphones can be particularly vulnerable.
Often targeted is information that provides potential answers to online financial site security questions (such as birth date, birth city, maiden name, pet’s name, favorite vacation spot, etc.), outright account numbers, or confidential information on the person or corporation’s staff.
Sometimes the adversary isn’t seeking any information at all, but rather, trying to get the recipient to open a document or click on a link that will download malware/keylogger onto their device which would ultimately give them the direct access they seek. Some phishing attacks also include ransomware which attempts to hold your business hostage for financial gain.
How can I defend against these attacks?
The number one tip I would give is to slow down! While we can try to make sure less of our personal information is readily available on the Internet, we can’t always control it. What we can control is the pace at which we react to things we receive by email, phone calls, or text message.
We need to continually review the entire situation slowly, and ask ourselves questions during the pause. Was I expecting this email and/or attachment from this person? Is this information I should be providing in an email or over the phone? Do I really know who is on the other end of the email, phone call, or text message?
How can I protect my business?
There are many ways to protect your business from social engineering, including:
- Provide corporate and local area security awareness training
- Conduct annual social engineering penetration testing (internal and external)
- Do not post online sensitive information or un-scrubbed documents – there is NO delete button!
- Do not talk to strangers (know your customers and employees)
- If it seems too good to be true, it probably is
- Use strong passwords and security settings
- Choose applications and third-party providers wisely
- Implement the ‘outside of this organization’ email banner on all corporate email
Businesses need to educate and train their end users about the different forms of social engineering, particularly phishing. All the expensive, shiny new security tools and equipment will not prevent attacks or data breaches if the human firewalls are easily compromised.
Contact your managed IT services provider for help to implement some or all of the ideas listed above.