Social engineering is currently one of the hottest topics within the IT security world – for good reason. The use of this attack method is only increasing, as phishing attempts grew by a whopping 250% between October 2015 and March 2016, and to make matters worse, combatting this threat poses a very unique challenge.
While phishing methods can sometimes be blocked by email spam protections and other similar barriers, detection mostly falls on employees who are challenged to figure out what is real or not. This can be much more difficult than it seems – and it’s only getting harder.
Take the following into consideration. Emails can appear as though they are sent from official sources – with official graphics, signatures and more – all of it might pass the smell test. Everything but a small change in the link address can appear perfectly normal.
Then there’s the more insidious methods of social engineering. What happens if someone approaches your front desk posing as a delivery driver, is allowed to travel back into your building and attaches a criminal device to your network? While this seems like an unlikely scenario, it happens.
We’ve previously written about this attack method, but it’s worth repeating that these attacks are designed to play on our weaknesses as humans. As trusting people we generally assume that if someone is asking for something, then they probably need it, we’re working at a steep disadvantage.
The best way to combat this is training your employees to pick up on suspicious behavior. Past dead giveaways – like obvious spelling errors and poor grammar – are becoming increasingly harder to come by. Cyber criminals and their methods have evolved.
Here are a few popular attack methods to familiarize yourself with.
Social Engineering Attack Methods
- Negative Consequences. “Click on this link, or something bad will happen.” This is probably the most common phishing method and comes in a wide array of varieties. Some of these threats can be very serious – like a fake alert from a bank asking you to click on a link to verify your identity – but others can play on minor things we’d just like to avoid. A phishing attempt like this may instead appear as though it’s from a coworker, asking you to open an attachment and noting that they will call you in 15 minutes to discuss. This puts pressure on the user to open the attachment or risk sounding uninformed over a call, which will of course never come.
- Too Much Detail. “I would like to explain this to you, and this, and this, and this and click the link here to skip over all this explaining.” People who work in offices receive a ton of emails every day, many of which can be a little odd but completely innocent. Perhaps a coworker likes to get a little long-winded, or health care providers send long yet detailed descriptions of policy updates. Whatever the case, cyber criminals know that they can trick users into clicking on a link without thinking by sending text-heavy emails with a hyperlink that really stands out. Rather than read, they’ll just skip to the link to see whatever the email is about. Unfortunately, by the time they’ve clicked, it’s too late.
- Fake Authority. “We’ll Never Ask for Your Log In.” A third common scam presents a sense of authority that tricks users into clicking on a link. These emails will prominently display confidentiality notices, stating, for example, that they will never ask for your login info over email, and it must be authenticated at their source site. Of course, this boast really means nothing, but it gives off the appearance of making this email more trustworthy than it really is.
Proper Training
While we hope these examples are helpful, full employee training is the only way to fully ensure the safety of your business. Our Security Awareness Training service allows you to test your employees and users on current phishing attempts. With hundreds of templates available to choose from, you’ll be able to truly gauge your users’ performance, while also monitoring their improvement as the training period progresses.
This training can make a real difference for your organization. In aggregate, organizations see their phish-prone percentage (how likely users are to respond to phishing attempts) drop from 15.9% to 1.2% in just 12 months. That’s a huge change. Assuming your organization starts at a similar percentage – 15.9% of all phishing attempts likely to trick your users – can you afford to have a risk like this out there?
Our training gives you and your employees the confidence you need to substantially minimize the threat of social engineering.