Many of these threats rely on our psychology to trick us into handing over access to valuable and sensitive information. Put another way, criminals use our willingness to help, submission to authority, or ignorance against us.
The most well-known example of these attacks is phishing. Verizon’s 2016 Data Breach Investigations Report found that 30 percent of phishing messages were opened, and about 12 percent of users clicked the malicious attachment or link, enabling the attack to succeed. That might not sound like much, but phishing scams continue to be the most-used tactic by malicious actors because they can be incredibly successful while requiring the least amount of work.
Unfortunately, phishing is only one arrow in the hacker’s quiver. There may be tell-tale signs of these scams, but if you want your users to spot these threats and protect your organization’s data, they’ll need education and continual re-enforcement.
Much of this will be familiar to those of you well-versed in security, but if you have users or colleagues who might need a review, here are three common social engineering scams hackers use, and how to defuse them.
Tactic #1: Solicitation over email. Email is often the primary way employees communicate with colleagues, customers, and outsider vendors. Criminals know that, and try to exploit an employee’s willingness to click a link or open an attachment. Common exploits are asking users to verify or renew credentials, update a password, or sign in to prevent account expiration. Another common attack is soliciting feedback for a seemingly reputable vendor or service. Sophisticated attackers will research organizations to determine how to inflict the most damage, and common targets are health care providers or benefit administrators, partner companies, and local businesses.
The right response: Scrutinize suspicious emails. Was this email expected or has this sender communicated with you via email in the past? If an email is suspicious, examine its embedded links (scroll over but don’t click) to determine if it’s directing you to the proper website. Be careful about attachments, too: Macros can be embedded in PDFs and text files and automatically run malware, so don’t open attachments from suspicious sources. If you’re unsure of an email’s contents or notice any suspicious behavior, contact the help desk immediately.
Tactic #2: A help desk support call. If your organization has multiple locations or a large headcount, it’s impossible to know everyone; by extension, it’s difficult to recognize if the person calling is an employee or trusted vendor. Attackers can take advantage of this by impersonating legitimate employees (a LinkedIn search is easy enough) or by pretending to be a vendor or partner. Attackers may ask for log-in credentials to “fix a problem” or “figure out what’s causing network slowdowns.” Another method is asking employees to visit a website that sounds legitimate but secretly installs malware onto the computer.
The right response: Authenticate who you’re dealing with. Don’t be afraid to hang up the phone and initiate a phone call yourself. Or contact the sender via a different method – if you got a phone call, try emailing or messaging the person. This is critical in companies or organizations with hundreds or thousands of employees, so make direct contact to follow up about a suspicious email or phone call.
Tactic #3: An in-person IT support visit. Acting as legitimate employee can be quite effective at locations with a limited number of employees. In this scenario, attackers pretend to be with IT and ask for access to a server room or network closet. If your organization doesn’t have an authentication or access control process, most employees are hesitant to challenge this type of social engineering attack. Don’t believe me? Of the last 10 locations I’ve used this cover, I was only turned away once.
The right response: Shut the door, and call a supervisor. Malicious actors get into the building because people hold the door. Next time, don’t be afraid to close the door behind you, even if you think it’s rude. If someone is inside the building, call IT or another department so together you can verify this person is allowed on site and is there for a legitimate business purpose.
Outsmart the scammers
Malicious actors know these interactions often elicit a response that provides access to sensitive data, because of psychological techniques and our willingness to comply. But your organization can be smarter: By following these steps, you can identify suspicious interactions that merit additional screening and thwart a network breach.
These solutions all boil down to validating a communication’s veracity. Though there’s no perfect solution to prevent employees from clicking on a phishing message, sharing these tips with your employees should help protect your organization’s data.
Do you have suggestions for educating employees? Leave us a comment below.