The remote work environment is especially vulnerable to social engineering attacks because your employees are in the comfort of their own homes and may not know the signs they are being targeted. Ensuring your employees are trained to identify potential threats and incorporate practices that defend against them is important in keeping your company secure.
What is Social Engineering?
Social engineering describes malicious attacks that use psychological manipulation through human interaction to trick users into giving away important information or making security mistakes that give the attacker access to their network. The attacker first identifies a victim and gathers background information, including potential points of entry and weak security protocols. Then the attacker works to gain the victim’s trust and use them to collect information or data or gain access to critical resources over time. When the attacker has what they need, they remove all traces of malware and cover their tracks, closing the interaction without any suspicion.
This method of cyberattack is common because it depends on human error rather than vulnerabilities in software or operating systems. Mistakes made by people are much less predictable, which makes them harder to identify as a source if you do realize an attack occurred.
What Types of Social Engineering Attacks Are There?
Social engineering is a broad term that includes a variety of malicious attacks that depend on human interactions, but there are several common types to look out for. These kinds of social engineering attacks are used frequently, so teaching your employees to look out for them is vital to protecting information.
Phishing/Spear Phishing
Phishing scams are the most common types of cyberattacks. They consist of email and text campaigns that incite a sense of urgency, curiosity, or fear in victims. Many use shortened or misleading links that, if clicked on, redirect users to disguised malicious websites.
Others include an attachment that contains malware that will attack the computer if downloaded. Phishing scams usually cast a wide net, sending identical or near-identical messages to all victims.
Spear phishing works similarly but targets specific individuals or organizations. They use messages tailored with recognizable or relevant content to make the attack less suspicious. A common tactic is to send emails to people in a company and make the phishing email appear as if it came from another person in the same company.
Baiting/Quid Pro Quo
Baiting is similar to phishing but it uses a false promise, usually an item, to entice victims into the trap. This can occur online or in the physical world. Online, baiting may consist of the offer of a free music or movie download that contains malware or ads that lead to malicious sites.
In the physical world, baiting is often a flash drive or CD that looks authentic, so victims insert the physical media into their work or home computer, infecting it with malware. Quid Pro Quo also promises a benefit in exchange for information, but the benefit is usually a service rather than a good and the attacker usually impersonates a company or organization.
Pretexting
In pretexting, an attacker fabricates a scenario (or pretext) to steal their victims’ personal information. Usually, the attacker will say they need certain bits of information to confirm the victim’s identity. Then they steal that data and use it to commit identity theft or stage secondary attacks. While phishing attacks mainly prey upon fear and urgency, pretexting attacks require the attacker to build a credible story to gain trust from the victim.
Tailgating
A tailgating attack takes place in the physical world and involves an unauthorized user following an authorized employee into a restricted area. For example, an attacker may impersonate a delivery driver and ask an employee to hold the door, thereby avoiding security yet still gaining access to the building. An attacker might also strike up a conversation with an employee and use this show of familiarity to get past the front desk.
Scareware
This kind of social engineering attack bombards the victim with false alarms and fake threats, usually telling the victim their computer has been compromised by malware. The victim is then prompted to install software that lets the perpetrator in or actually installs malware onto the computer.
How Can Your Employees Protect Themselves?
Aside from knowing the common types of social engineering attacks and becoming familiar with their terminology, there are a few other steps your employees can take to protect themselves.
- Lock your computer whenever you are away from your workstation to prevent unauthorized users from accessing restricted content.
- Do not open suspicious emails or attachments from people you do not know — and be wary of strange emails from users that appear to be from someone within your company.
- Choose strong passwords and have a system for routinely updating them.
- Use antivirus software and regularly update it — and consider next-generation antivirus that is managed and maintained by a service provider for maximum protection.
- Use multifactor authentication to ensure your account’s protection in the event of system compromise.
Because social engineering attacks are sophisticated and constantly changing, hiring a dedicated team to train your employees can be your best method of protection. A social engineering assessment will determine your company’s vulnerabilities and allow for the creation of a customized training plan.
ATSG—Transforming the customer experience through tech-enabled managed services
Today’s choices for mobility, cloud, infrastructure, communications, applications, and operations are mission-critical for small, mid-sized, and large enterprises.
ATSG, Inc., is leading the transformation into technology solutions as a service with our tech-enabled managed services portfolio and a commitment to technology innovation, operational excellence, and client intimacy.
Recognized by industry leaders and industry-leading publications, ATSG has over 25 years of operating history delivering exceptional client experiences that directly result in competitive advantage, cost-savings, growth, and improved operational efficiencies.
Visit ATSG.net, email [email protected], call (914) 517-2919, or visit one of our five tri-state locations today for more information.