November 6, 2017 –
What are Social Engineering Scams?
Social engineering scams are tactics that allows hackers to access your systems through direct manipulation of your employees. This is taking cyber-attacks to a whole new level. And it is challenging because it can be extremely difficult to prevent. With social engineering, the hacker will focus themselves on a specific target. They will try to fool their target into clicking on a link and downloading a file. Or they’ll try to get them to reveal personal and confidential information like usernames and passwords.
What are the main Social Engineering Scams to watch out for?
There are 5 main social engineering scams. Read below to find out how to spot them before hackers can do damage to your systems.
- Phishing – Phishing is by far the most common of the social engineering scams. The hacker will pose (via email) as a financial institution or some other authoritative group (like a government agency). They will send out an email that required “urgent” attention by the target user. These emails will contain a malicious attachment or an embedded link. When the user interacts with the attachment or link, malware is released into the system. Sometimes it is obvious right away, other times it lurks silently waiting to strike at a later date.
- Baiting – Baiting is a lot like phishing. The user will receive an email from a seemingly reliable source. The message will include some sort of incentive or reward for engaging with the content. Often this will be in the form of a free gift the employee can claim.
- Pretexting – Pretexting is when an individual lies and pretends to be someone else in order to trick an employee into sharing information, sending money to a fraudulent account, or opening a malicious attachment. Usually this is done via email with a Business Email Compromise (BEC) scam. The cyber criminal will pretend to be in a position of authority in the company. They will send a communication from a fake email address that at first glance appears to be legitimate. They’re betting people are so busy they won’t notice that the email address is spelled slightly differently and they are right…how often do you actually look at the long form email address for contacts you already know? In the email they’ll give the employee instructions to open a malicious attachment or send money to a new (fraudulent) supplier. In another form of pretexting, the criminal ask the employee to verify personal information. They are very talented and manipulative, and can easily trick an unsuspecting person to reveal more and more information over time.
- Quid pro quo – this is a bit like baiting, where the employee is (seemingly) getting something of value in exchange for information. Often this will take the form of someone pretending to be in IT support, and offering to fix something on their machine in exchange for their login information. They’ll claim they need this in order to correct a problem on the employee’s computer. Or better yet in an ironic twist they say they want to install data security software to protect the employee from hackers.
- Tailgating – this form of social engineering is more hands-on and in-person. As your employee is approaching the door to the office, they will be followed in by another “employee” or “delivery person.” Often the fake employee will pretend to have their hands full and be struggling to find their badge. These types of scammers are incredibly comfortable with conning people, and appear to be friendly and social. They might even read the employee’s name off their badge and pretend to know them. And now they have access to your facility. Side note: this is a particular vulnerability for small and mid-sized businesses leasing space in larger office buildings. Someone will gain access to the building as a whole and then easily follow an employee into their work area.
How can I protect my business from Social Engineering?
Training. Training. Training. There’s no magic wand…preventing social engineering requires you to strengthen every link in your chain. Each employee is potentially a vulnerable entry point, and you must give them the skills to spot a social engineering scam and shut it down. A strong training program will give people the information, test their knowledge, and continually refresh the team to keep their skills sharp.
For more information on how to train your employees to stay vigilant, visit the Security Awareness Training portion of our website.
If you would like to start a data security training program, please call us at (866) 407-1284, email us at Info@ait2022.wpengine.com, or use the Contact Us page.
– The AccountabilIT Team