2. Social engineering can sound quite alluring
to some. The word “social” tends to have a
positive connotation as it relates to our
personal and professional lives. Put the
word engineering after it and it might
remind you to call some of your IT friends
and schedule a night out. Unfortunately,
social engineering in the cyber world is
vastly different.
3. WHAT IS SOCIAL
ENGINEERING?
So, what is social engineering? It is the art of
manipulating others to release confidential
information. Cyber criminals are focusing on the
trusting nature of others verses weaknesses in their
technology infrastructure. Especially since their tactics
can be so appealing that employees willingly provide
passwords or information needed to access their
company’s systems. This is all done without any
knowledge that they have just been exploited. It is an
art, and educating your employees is vital.
4. WATCH OUT!
It is important that employees are aware of the types of
attacks that are out there. To take it a step further,
they should look at all types of correspondence with a
suspicious eye. Below are some common social
engineering attacks, but be aware that hackers are
always one step ahead of the game. One attack today
may be surpassed by another tomorrow.
The most common forms of social engineering include
spear phishing, baiting, quid pro quo, and email
attachments from a so-called friend.
5. PHISHING SCHEMES
If you are a committed reader of our blogs, you have
come across phishing schemes more than a few
times. Phishing is the leading form of social
engineering attacks typically delivered in the form of
email from a (seemingly) trustworthy source. Cyber
criminals may claim that the end user is the “winner” of
a grand prize or may ask for a charitable donation
after a nationwide disaster or tragedy takes place
(wiring instructions are fully intact). Regardless, these
types of scams vary in their complexity and their
attacker’s objectives, with spear phishing and whaling
attacks being the more sophisticated forms of
phishing.
6. PHISHING
SCHEMES
Spear phishing is a tactical approach that
uses an email that appears to come from a
business or someone that you know; but in
reality, is malicious and seeks to obtain
sensitive information (bank account
numbers, passwords, financial information,
etc.) in a timely manner. Pretexting is
similar to spear phishing but instead of
focusing on “urgency” it relies on building a
false sense of trust with the end user by
impersonating a co-worker or employer to
gain sensitive information. Additionally,
whaling refers to going after a potentially
large target – generally Executives or high-
level accounting professionals who have the
ability to authorize large transactions.
7. PHISHING SCHEMES
Spoofing uses e-mail sent from
spoofed or similar-sounding domain
names to make it appear as though
these emails were sent from senior
executives of a victim’s company. This
tactic is often used in conjunction with
spear phishing in order to add the
appearance of legitimacy.
To avoid these damaging attacks, click
here to learn guidelines and general
rules to follow to stay protected.
8. BAITING
Baiting is similar to phishing but it involves
enticing the end user with something of
interest in exchange for private data. Baiters
may offer users free music or movie
downloads, if they surrender their personal
login credentials. What better way to pass
time at work than with free music, right?
Baiting can also come in physical forms,
such as a corporate branded flash drive that
is labeled with something directly related to
your work or department. The most
documented baiting attack occurred in 2006
and is still relevant today as the USB is still
alive and kicking in the workplace. In this
case, USBs were intentionally infected and
disbursed in the employee parking lot of
their financial employer. Have you ever
heard the term, “curiosity killed the cat?”
9. EMAIL
ATTACHMENTS
FROM A
“FRIEND”
If a hacker can break into your
email, they can access your
contents and send malicious
email from someone that you
know. Recently there have been
some issues regarding potential
malicious attachments in email.
These malicious emails vary in
subject and are usually titled to
draw attention (IRS, invoices,
billing, etc.). Anything that is
asking you to perform additional
actions / tasks should be
considered more carefully. In
today’s world, you should work
under the guise that all
attachments are hostile until
proven otherwise.
10. EMAIL ATTACHMENTS FROM
A “FRIEND”
One of the most common means by which a computer is
compromised is through email attachments. When
opened, these attachments can give hackers complete
control of your machine and in turn, control over other
machines in your environment, servers and networks.
11. HERE ARE
A FEW
GUIDELINE
S TO
FOLLOW AS
IT RELATES
TO EMAIL
ATTACHME
NTS
1. Don’t open “surprise attachments” (something that you
are not expecting).
2. If you don’t know the person sending the attachment,
don’t open it.
3. Only open attachments with recognizable file
extensions, i.e., excel, word (avoid .exe, .pif, .scr,
.docm, .lotterywinner, etc.)
4. Don’t open attachments to emails that appear
incomplete, incoherent, or simply “look wrong.”
5. Zip and PDF files should be looked at with scrutiny prior
to opening as they are key players in transferring
malicious content.
6. If you are unsure of the attachment, don’t open it.
These threats are mitigated by your spam filter, however no
spam solution is foolproof. Mail attachments should be
treated with a degree of caution. Everyone is fair game no
matter how big or small your company is.
12. QUID PRO QUO
I give you something and you give me something and we
are even. Not so fast. If you are contacted at work and
told that you will receive a gift card for $500 if an IT
specialist can scan your network if you provide the
credentials, it’s too good to be true. Please note that the
most common type of Quid Pro Quo attacks are hackers
that impersonate IT people. There are less sophisticated
forms of attack that involved free chocolate and
passwords. This attack may be dated back to 2004, but
our love of chocolate remains in all of us, consider this a
friendly reminder.
13. “IF I EDUCATE MY
EMPLOYEES I SHOULD BE
GOOD RIGHT?”
As noted, educating your employees of the latest
attacks and what to look out for is extremely
important. However, locking down your networks
should not be taken lightly. It is important to make
any form of hacking as difficult as possible.
14. WORKING WITH A REPUTABLE
MANAGED SERVICE PROVIDER
(MSP) WILL ENSURE THE
FOLLOWING:
Software updates are installed on all computers when
released
Network security is managed through anti-virus software
and other features that prevent unauthorized access
Managed backup and disaster recovery (BDR) solution is
in place
Anti-spam filters are put in place to eliminate certain
emails before they even get to your end users
15. These services are extremely important to the health of
your business. Proper network security minimizes
downtime and revenue lost. To ensure that your
network is properly secure, contact The TNS Group
today and reduce your risks of a cyberattack.