Social Engineering Inboxes and Voicemail
Social engineering is non-technical, malicious activity that exploits human contact to obtain information about internal processes, configuration and technical security policies in order to gain access to secure devices and networks.
Such attacks are typically carried out when cybercriminals pose as credible, trusted authorities to convince their targets to grant access to sensitive data and high-security locations or networks.
An example of social engineering is a phone call or email where an employee receives a message that their computer is sending bad traffic to the Internet. To fix this issue, end users are asked to call or email a tech support hotline and prompted to give information that could very likely give the cybercriminal access to the company’s network.
Phishing Email Compromises
One of the most common forms of social engineering is email phishing which is an attempt to acquire sensitive information such as usernames, passwords and credit card data by pretending to be a trustworthy entity. Phishing is most likely the highest primary email threat employees need to focus on and be wary of.
Such emails often spoof the people within a company that are in a position of authority, a customer or a business partner and do so in a sophisticated, subtle way so that the victim thinks they are responding to a legitimate request.
Federal reports sources says CEO (or C-level) fraud has increased 270 percent in the past two years with over 12,000 reported incidents totalling over $2 billion dollars in corporate losses. Among the reasons these scams succeed are the appearance of authority where staffers are used to carrying out the CEO’s instructions quickly. That’s why phishing can be so easy to fall victim to.
Four Common Phishing Techniques
The scope of phishing attacks is constantly expanding, but frequent attackers tend to utilise one of these four tactics:
- Embedding links into emails that redirect users to an unsecured website requesting sensitive information.
- Installing Trojans via a malicious email attachment or posting ads on a website that allow intruders to exploit security loopholes and obtain sensitive information.
- Spoofing the sender address in an email to appear as a reputable or known source and requesting sensitive information.
- Attempting to obtain company information over the phone by impersonating a known company vendor or your IT department.
Email Security Best Practices: Five Ways to Block Phishing Attacks
Employees should always be suspicious of potential phishing attacks, especially if they don’t know the sender.
Here are five best practices to follow to help make sure you don’t become helpless victims:
- Don’t reveal personal or financial information in an email
Make sure employees also know not to respond to email solicitations for this information. This includes clicking on links sent in such emails. - Check the security of websites
This is a key precaution to take before sending sensitive information over the Internet. indicates the site has not applied any security measures while means it has. Also consider if employees are practicing safe browsing habits. Sites that do not serve a legitimate business purpose are also more likely to contain harmful links. - Pay attention to website URLs
Not all emails or email links seem like phishing attacks, so employees may be lured into a false sense of security. Many malicious websites fool end users by mimicking legitimate websites. One way to sniff this out is to look at the URL (if it’s not hidden behind non-descript text) to see if it looks legit. You can also detect and evade some of these schemes by finding variations in spellings or the use of different domains (e.g.,.com versus .net). - Verify suspicious email requests
Contact the company they’re believed to be from directly. If an employee receives an email that looks odd from a well-known company, such as a bank, instruct them to reach out to the bank using means other than responding to the suspicious email address. It’s best to contact the company using information provided on an account statement, NOR any of the information provided in the email. - Keep a clean machine
Utilising the latest operating system, software and web browser as well as antivirus and malware protection are the best defences against viruses, malware and other online threats. It may be difficult for employees to do this, so the business may want to invest in a managed IT services provider who can also be a trusted advisor for all IT needs.
Stay tuned for next week’s’ chapter on Username and Password Management