How businesses can stop social engineering attacks
- Written by Tyler Moffitt, Sr. Security Analyst at OpenText Security Solutions
Recently, the Australian Cyber Security Centre (ASCS) launched a new online tool to help businesses assess if they’ve been hacked and guide them on how to respond in certain scenarios, including ransomware attacks, malware, email compromises and identity theft. While it's important for businesses to have a reactive plan in place to focus on re-establishing cyber resilience in a time of crisis, it’s also important for businesses to have a preventative plan to minimise the likelihood of such scenarios in the first place.
Awareness is the key to prevention
The top cause of cybersecurity breaches is social engineering. Social engineering attackers use deception and tricks to get employees to willingly give up private information like logins, passwords and even bank information. As such, phishing is the most common type of social engineering, and it grows year over year while also becoming more convincing and difficult to spot.
OpenText Security Solutions’ mid-year 2022 BrightCloud Threat Report found 46 per cent of all successful phishing attacks used HTTPS – a 14 per cent increase from 2021. Brands such as Google, Apple and PayPal were among the top ten so far this year for credential phishing, a process of obtaining login information from users. The report also showed consumers are almost twice as likely to experience an infection than business counterparts, but with more employees using personal phones and tablets for work, businesses must remain vigilant.
So, what exactly makes social engineering effective and how can businesses stop these types of attacks before sensitive data is stolen and potentially held for ransom?
Spotting attempts and stopping attacks
Phishing and impersonation attempts are common tactics used by cybercriminals to trick individuals into giving away sensitive information or access to their accounts. These attacks can be difficult to spot, but there are some signs that employees can look out for to protect themselves and their organisation from falling victim to these scams.
One common tactic used by phishers is to send emails that appear to be from a legitimate source, such as a bank or a well-known vendor the employee’s company works with regularly. These emails often contain urgent language and may request that the recipient take some sort of action, such as clicking a link or entering login credentials. Employees can spot these scams by being cautious of any unsolicited emails and by examining the sender's email address carefully. If the address looks suspicious or unfamiliar, it's best not to click any links or provide any information.
Another tactic that cybercriminals use is impersonation, where they try to pretend to be someone else in order to gain access to sensitive information or accounts. This can happen through email, social media, or even over the phone. Employees can protect themselves by being cautious of any unexpected or unusual communication, and by verifying the identity of the person they are communicating with before providing any sensitive information.
Overall, the key to spotting phishing and impersonation attempts is to be cautious and vigilant. Employees should be on the lookout for any suspicious or unexpected communication. They should never provide sensitive information or access to their accounts without verifying the identity of the person requesting it. By being aware of these tactics and taking appropriate precautions, employees can help protect themselves and their organisasion from falling victim to these scams.
Threat actors prey on a weak cybersecurity posture. Because social engineering attacks take aim on the human element of cybersecurity, organisations need multiple layers of protection to defend against phishing tactics, old and new. By adding email threat protection to their solution stack, security teams can catch over 99% of threats before an employee is even tested and has a chance to hand over personal info.
It is also important to complement technology with security awareness training, arming users with the knowledge they need to pivot and stay ahead of cybercriminals’ around-the-clock reinvention of malware, phishing, and brand impersonations. Phishing simulation is key and plays an important role to find out which of your employees can improve their phishing resilience and who are the biggest risks that might need some tweaks on access control. Each layer a business strengthens ensures a better chance of stopping social engineering scams, keeping data and sensitive information safe.
