When your organization decides to update or implement an information security policy, ensure that this policy provides training for your employees upon how to identify a social engineering attack.
Social engineering is a term that describes the tactics that scammers use when they are trying to rip off an organization. It's true that social engineering attacks come in all shapes and sizes, from the Toner Pirate Scam all the way to Whaling Attacks.
Organizations must train their employees to recognize and report suspected scams. Some social engineering attacks seem obvious and spam filters can be setup to mitigate many of these unsolicited attacks that come through email.
More coordinated social engineering attacks may involve someone calling your organization posing as a potential client. They may call and ask probing questions that can be used to compromise your organization's financial accounts, social media accounts or more.
Let's take a closer look at popular social engineering scams that businesses must combat each and every day.
The Toner Pirate Scam
Enterprises of all sizes typically have a person designated to handle all incoming phone calls that require human interaction. The Toner Pirate Scam uses the classic social engineering technique of calling a receptionist and posing as the vendor that services your office's copiers, scanners, and multifunctional devices.
The scammers pressure the person answering the phone to respond to questions such as. "What model printers do you have in your office?" and, "Who is your accounts receivable associate?" They may even frame the questions as a "Routine audit" of the types of equipment that they have deployed.
When unsuspecting office members answer these questions, your business will begin getting nondescript invoices delivered directly to the person responsible for paying the bills in your company.
The scam is executed when the toner pirates will legitimately sell your business a toner cartridge for the model of printer that you have, however, your accounts payable person will unknowingly pay nearly $700 for a single toner that routinely costs $50-$75 through your local dealer.
Whaling Attacks – It's Bigger than Phishing Scams
Social Engineering teams have begun shifting their focus from the small "Phish," such as mid-level associates, to targeting executive leadership, better known as "Whales."
Phishing attacks are popularly used by scammers who aim to extract information out of a business via email. While Phishing attacks target associates that interact with the public, Whaling attacks go beyond that and directly target the executive staff in your organization.
Why Whaling Attacks Work
No organization should ever rule out the possibility of a Whaling Attack for one distinct reason: There's probably a tremendous amount of public data available about your executive leadership that can be used to hijack identities through services with weak password retrieval policies in place.
Not only that, while many of your employees may be aware of social engineering tactics, executives sometimes get a pass on critical information awareness training. Executives are more likely to sacrifice security for convenience, using unapproved devices or by asking a low-level IT employee to remove a content filter for personal internet use.
Snapchat Gets Hit by Whaling Attack
Snapchat, a company that ironically touts the security of its photo sharing app, was the target of a Whaling Attack that put some of its employees' personal information into the hands of a social engineer.
In February of 2016, Snapchat admitted in a blog post that its HR department was tricked into sending out confidential information about its employees to a person posing as an executive within the company.
How can you prevent your business from becoming the target of a Whaling Attack?
How to Mitigate a Social Engineering Attack
Because of social engineering, organizations must implement stringent policies that protect against the possibility of a social engineering attack. Because social engineering attacks are becoming so prevalent, it is advisable that all businesses provide some sort of training to their employees to keep them up to date on the latest social engineering tactics.
Consider Hardening Your Internal Information Services Policy
What if an executive asks your HR representative for sensitive information? What's your organization's policy concerning the transfer of this data?
Your organization should craft a policy concerning these very transfers such as requiring the hand delivery and signature of the person receiving the data. This type of policy helps mitigate the potential for a data leak versus providing access to a PDF that can shared with anyone.
Heavily Train All of Your Employees on Social Engineering Awareness
Did you know that social engineers will sit around on the phone all day trying to scam a business? Oftentimes, they only have to be successful once in order to make enough money to make their endeavor worthwhile.
- Your organization should document all of its vendors and have those on a list for the receptionist to use to verify vendors when they call.
- Those answering the phones should be heavily trained on social engineering while simultaneously staying up to date on the latest scams.
- Particular industries may be more susceptible to scams than others, so pay close attention to social engineering scams crafted for your line of business.
Implement a Two Factor Authentication Scheme
Your business should always consider using two factor authentication on all of its public facing services that require a username and password. Having a two factor authentication scheme is a must for businesses that are required to provide remote connectivity to the network.
Furthermore, it provides an additional layer of security knowing that two factors must be met before authentication is granted. Two factor authentication provides extensive audit logs which provide evidence of who, what, where, when and how parties are trying to authenticate onto your network.
If you have any worries about your network security, please call us at (833) 482-6435, or click the banner below to schedule an IT security audit so we can find the best security solutions for your business. Preparation for threats like this is a small cost compared to repairing the damage of an actual infection.
If you enjoyed this IT Support article, please check out other posts on our blog and join us on Facebook, Twitter, LinkedIn, and Google+ to see how else we can help your Greenville, SC or Atlanta, GA area business succeed!