Protecting Your Business from Social Engineering Attacks
As long as businesses have been operating, they have been vulnerable to criminal interference and attacks. Today, the majority of these attacks have moved online, with data breaches costing Australian businesses over $3 million, costing the economy over $1billion each year and affecting 78% of small businesses in 2019 alone. At the root of most cybersecurity attacks are social engineering tactics that criminals use to play into our innate sense of trust in society, gaining that first, critical access to a key vulnerability in every business – people.
Social Engineering Tactic #1 – Tailgating
Let’s start with the tactic that’s furthest from the realm of IT – tailgating. This is a physical security issue with massive cybersecurity implications. Essentially, an unauthorised person (an ex-employee, an employee with lower security clearance or even a stranger) follows an employee through into the business or a restricted area using a common ploy, like saying they’ve forgotten or lost their RFID card. This applies to devices too, when an unauthorised person borrows or utilises a laptop, desktop or device connected to the network because they need to send something quickly or look something up.
We tend to trust those around us and even give strangers the benefit of the doubt – after all, we’ve all lost keys or forgotten to send an urgent email at some point or another. We tend to act generously in the moment before our natural suspicions have time to occur.
Both physical intrusions can take place within seconds and allow the wrong people access to sensitive data and your business network, giving them the opportunity to steal data or upload malware.
Social Engineering Tactic #2 – Phishing and Spear Phishing
You’re sitting at your desk, working on your project when an email or chat message arrives from someone higher up in the organisation. The tone is urgent and demanding, commanding you to make an emergency or overdue payment, or supply a password. The request looks legitimate and maybe even comes with the person’s official signature, logo or branding, and time is of the essence – so you comply. Only, the person supposedly making the request has no idea about what’s going on.
This is known as a spear phishing attack – a phishing attack launched to specific individuals within a company, often impersonating someone in a senior role, where the person is commanded to take some immediate action. Because we are trained to comply with senior staff requests and because these messages look legitimate and the tone is so urgent, many people respond and fulfil the request before they have a chance to think properly.
Social Engineering Tactic #3 – Baiting
Baiting takes a similar form to phishing – usually an email or message – but rather tries to entice you into handing over sensitive information for some reward. It sounds simple to avoid, but it’s especially tricky because the medium is so creative and appealing. It can be something as simple as a free movie download sent to your inbox (perhaps even impersonating a friend or co-worker of yours), or a link to interesting organisational information that could be personally relevant to you. Once you open the link or make the download, the malware activates.
It taps into our love of rewards and our curiosity at the same time, which is a powerful combination. Worse, many people fear they will be ridiculed or punished for taking the bait, which gives the malicious software more time to wreak havoc on your network.
Social Engineering Tactic #4 – Impersonation
This is something that occurs in many different cybersecurity attacks, including spear phishing and baiting, where someone poses as someone else within the organisation. It doesn’t always have to be someone high up, although this is a preferred method in spear phishing activities. Instead, many cybercriminals simply call their target directly (perhaps after accessing the internal communications network after tailgating an individual) and behave as if they are performing a routine task (IT person collecting data for an audit or upgrade) that requires certain information from the employee – their password, private data or other sensitive information – to fulfil their task.
This plays on our natural trust of others, especially if they sound like they are legitimately from the organisation or have a solid backstory, and our willingness to help.
How to Protect Your Business
To protect your business from cyberattacks, it is important to find the right managed IT services provider. They will be able to design, implement and manage an IT solution within your budget, so you don’t have to expend essential capital on non-core business resources.
At Otto IT, our focus is on providing cost-effective, state-of-the-art IT services and training specifically for small businesses, from IT support and cloud solutions to network security and disaster recovery. Contact us and find out how we can help prevent your business from becoming a statistic.