What is Social Engineering and Why Should You Care?

Small business owners may think that while their network and systems are safe from malware, they have nothing to worry about. However, they may not be prepared for social engineering.  Social engineering, a form of cyber crime, is used to steal personal information from users. It goes beyond just phishing scams, using more complex methods to steal information.

Here are some common social engineering scams you should know.

Phishing

This is the most frequently used social engineering attack, especially against small businesses.

How is phishing carried out? Criminals make use of emails, phone calls, or text messages to steal money. Victims are directed to phony websites or hotlines and are tricked into giving away sensitive information. Information like names, addresses, login information, social security, and credit card numbers can all be compromised.

To protect yourself, be wary of emails from people you don’t know that offer you a prize, come with attachments you didn’t request, direct you to suspicious sites, or urge you to act quickly. Phishing emails usually appear to come from reliable sources.

One of the most infamous and widespread examples of phishing was during the 2016 Summer Olympics in Rio, where victims received fraudulent emails for fake ticketing services that stole their personal and financial information.

Tailgating

What’s the fastest and easiest way for criminals to enter a secure office? Through the front door, of course! Tailgating happens when an employee holds the door open for strangers and unauthorized visitors, allowing them to infiltrate an organization. This simple act of kindness enables fraudsters to enter restricted areas, access computers when no one is looking, or leave behind devices for snooping.

Quid pro quo

Here, scam artists offer a free service or a prize in exchange for information. They may lure their victims with a gift or special offer in exchange for login credentials, account details, passwords, and other important information. Or hackers may volunteer to fix their victims’ IT problems to get what they want. In most cases, the gifts or special offers are fake, but damages from stolen information are all too real.

Pretexting

Criminals who pretend to be someone else to steal information. They may pose as a telemarketer, tech support representative, co-worker, or police officer to fish out credit card information, bank account details, usernames, and passwords. The con artist may even convince the unsuspecting victim to apply for a loan over the phone to get more details from the victim. By gaining the person’s trust, the scammer can fool anyone into divulging company secrets.

Despite the many security measures available today, criminals and their social engineering schemes continue to haunt and harm many businesses. So, your best bet is to prepare for the worst. To protect sensitive information, educate yourself and be careful. Remember: If anything is too good to be true, it probably is!

Please contact us to learn more about our cyber security initiatives and how we can help keep your business safe and secure.

 

Gone Phishing: Top 3 Spear-Phishing Attacks

Impersonations by hackers are increasingly more common, sophisticated and targeted. These hackers aim to uncover your personal information, your business information, and your financial information for their personal gain. Today, the methods that they use are more sophisticated than a typo-filled email from a strange web address or staticky phone call.  

Understanding the phishing methods that they use – and why they use them – can help you to protect yourself and your business. 

What is Spear-Phishing? 

Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, for malicious reasons. This is achieved by acquiring personal details of the victim. The attackers then disguise themselves as a trustworthy colleague or business partner to acquire sensitive information, typically through email or other online messaging. 

 

Spear-Phishing vs Phishing 

Spear-phishing can easily be confused with phishing because they are both online attacks on users that aim to acquire confidential information. 

Unlike spear-phishing attacks, phishing attacks are not personalized to their victims and are usually sent to masses of people at the same time. The goal of phishing attacks is to send a phony email (or other communication) that looks as if it is from an authentic organization to a large number of people, banking on the chances that someone will click on that link and provide their personal information or download malware. 

 

Spear-phishing attacks target a specific victim with personalized communications, designed to look like a message from a trusted source. These kinds of attacks require more thought and time to achieve than phishing. Spear-phishing attackers try to obtain as much personal information about their victims as possible to make the emails that they send look legitimate and to increase their chance of fooling recipients. Because of the personal level of these emails, it is more difficult to identify spear-phishing attacks than to identify phishing attacks. This is why spear-phishing attacks are becoming more prevalent. 

Top 3 Types of Spear-Phishing Attacks 

 1. Impersonating Your Boss 

Who wouldn’t respond to a request from their boss? many times, attackers don’t use complex tools or technology to try and trick you or your employees to wire money, send w2s, give up credentials, ect. They simply research both you and your employees/superiors by checking out social media accounts or your company’s “About” section. From there, they craft the perfect email (or string of emails) that looks like it’s legitimately from a trusted source. These messages typically do not contain malicious links or attachments, making them very difficult to detect with traditional email security solutions. 

 

2. Impersonating Popular Business App Services You Use Every Day 

Almost every business uses some sort of web-based application to help manage day-to-day workloads and tasks. Attackers are well aware of this and target trusted web services like Gmail or DocuSign as a way to lure unsuspecting victims. These attacks often try to get you to give up account credentials or click on malicious links. For example, you may receive an email informing you that you have unread messages, to reset your password, or to review or sign a document. From there, you’re taken to a fake website portal and accidentally give up your login information. These hackers will then use this to commit fraud or to launch a more targeted attack within your organization. 

 

3. Impersonating Your Office 365 Account 

Most businesses use Microsoft’s popular cloud productivity service; however, popularity can sometimes be a bad thing. There’s an inherent trust from users when they see an email directly from Office 365, and attackers are capitalizing on this trust. They craft emails that ask you to log into a seemingly “valid” web portal. From there, they can gain access to your account and proceed to send malicious emails to co-workers/employees. What do these particular emails usually contain? You guessed it – a message asking for more sensitive company information or money. Even though Microsoft Office 365 is still a relatively new tool, attackers recognize that it houses a rather large and growing user base, so they plan on taking full advantage. 

 

Please contact us to learn more about our cyber security initiatives and how we can help keep your business safe and secure.