Social Engineering Scams Make Your Workforce Your Biggest Threat

The urgent email from the company bank asks you to check a statement. Do you click the attachment?

This is what social engineering looks like from the perspective of someone about to give a cyber criminal the keys to the enterprise.

Social engineering is methods used by criminals to get one of your colleagues to hand over company information. It could be an email with malware buried in an attachment. It could be an urgent demand from what looks like a senior staffer seeking banking details or logins. Or it could be blackmail – any way to trick staffers into allowing access.

In the above example, an unknowing employee can look at the sender of the email, not catch that the email is from “banc” and not “bank,” and click the attachment containing malware. The malware can then track the actions of the employee, lying quietly for months while infecting other networked computers until, eventually, the entire company network is taken down, millions of dollars missing and business comes to a halt.

As security protocols tighten and anti-virus software gets better, criminals are attempting increasingly elaborate ways to fool employees into giving them access to prized data. With each attempt, the ruse becomes more ingenious until finally, someone opens a way into the network.

According to the 2016 Verizon Data Breach Investigations Report, “23% of users open phishing emails, 11% click on attachments, and nearly 50% open emails and click on phishing links within the first hour.”

However, those same employees being targeted by con artists can be your first line of defense.

Protect your enterprise.

  1. Teach your employees what to look for, and that goes beyond just fishy-looking attachments to encompass:
    • Phishing scams have the criminal pretending to be a trusted source seeking credentials.
    • Spear phishing is a very targeted attack on one trusted employee armed with information gleaned from social media and other public sources.
    • Employees must even be careful of physical baiting – where an innocuous memory stick is left near a trusted employee, even on his desk, but the tool contains dangerous malware.
  2. Help your employees by setting policies for security. Require your workforce to create and maintain strong passwords that are not easily guessed (birthdays, names of children). Use multi-factor authentication so more than one password or key is required to gain access.
  3. Patch and update systems and software on schedule. This is a no-brainer when you consider that most attacks exploit never-patched known vulnerabilities for which patches have been available for months.
  4. Reinforce your cyber-hygienic workforce with the protection of a layered security technology infrastructure. Build a platform that integrates sandboxing with next-generation firewalls, internal segmentation firewalls, virus/malware scanners and content filtering so that attacks that get past one defense can be stopped by the next; or at least slowed to a rate where they can be detected and harm mitigated.

Your layered security approach needs to be tailored to your business needs, assets and biggest vulnerabilities. Perform periodic cyber threat assessments to assess. A partner of Fortinet, neteffect can assess your cybersecurity infrastructure and put our expertise and best-in-class technology to work for you.