This month is European Cybersecurity Month (ECSM). We are taking part in the European Union’s annual campaign dedicated to promoting cybersecurity among EU citizens and organisations. To contribute to this campaign, we will be sharing a number of articles to raise awareness about this important topic.
Imagine you get a WhatsApp message from a number you don’t know, claiming that it’s your son. They tell you your son has lost his phone and is texting you from a friend’s phone. You find the message peculiar, but have many things going on, so you engage in conversation to find out if it’s true. After some back and forth, the person on the other end asks you to send a bit of money so they can buy a new phone. That’s when you become extra suspicious, so you decide to call your son. Your son answers his phone and then it hits home...you’ve been the subject of a spear phishing attack. Since you didn’t send the money, you’re relieved. Still, it’s very unsettling how much a hacker can know.
Spear phishing is one of many types of social engineering attacks. Social engineering occurs when criminals use psychological manipulation to victimize innocent people. According to Cybint, 62% of businesses experienced phishing and social engineering attacks in 2018 alone. Scams based on social engineering are built around human behaviour and the cybercriminal manipulates the target’s behaviour through carefully designed emails, voicemails, or text messages. Their goal is convincing the person to do something, usually transfering money, providing confidential information or downloading files that install malware on the subject’s company network.
Zooming in on social engineering - what are the types of attacks?
There are many types of social engineering frauds. These are the most common:
Phishing: tactics include fake emails, websites, and text messages to steal information or money. These emails are sent to thousands of people and do not target a specific person.
Spear Phishing: Same thing as phishing, but a specific position or person is targeted (in companies it’s often the CEO/CFO).
Baiting: an online and/or physical attack that lures users into a trap with false promises.
Malware: psychological manipulation to trick users into believing that malware is installed on their computer and in order to remove it they have to pay.
Pretexting: when a false identity and a fake scenario is used to trick victims into giving up information.
Tailgating: to follow employees entering the premises of a physical workplace in order to get around access rights (for example access cards, code ect).
Vishing: voicemail or phone call pretending to be someone else convinces employees to act quickly. Pretty much phishing, but over the phone. More sophisticated scammers can even use voice changers to conceal identity and change to either a female of male voice.
Here is an example of a hacker trying to steal a CNN tech reporter's data.
How can you prevent social engineering attacks?
As a company, it’s important to focus on changing behaviour through awareness. If they know how easy it can be to get tricked or scammed by a social engineering attack, employees will be more vigilant when it comes to suspicious emails, calls or events and know how to act. At Visma Connect, we have internal awareness sessions about phishing on a regular basis.
As an employee, do not click on suspicious links. Always verify the sender’s identity if you receive emails or phone calls. For phone calls, call back the person they pretend to be if you’re in doubt. Emails are never too urgent to double-check. When in doubt, ask your colleagues or manager for a second opinion.
In addition, always be careful who you let into the building. It’s nice to be polite but try to avoid holding the door for a stranger, especially if the stranger does not carry a company badge.
What to do when you’re the victim of a social engineering attack?
Unfortunately, the scenario we outline at the beginning of this article is very common. If it happens to you, don’t feel ashamed. It can happen to anyone! Don’t keep it to yourself, contact your security team ASAP and give them as many details as possible.
Visma’s goal is to be transparent with regards to cybercrime. This means that we chose to share information rather than keeping it hidden. This is a social responsibility approach that we have embraced as a company, for the greater good, for all our customers and ourselves.
Stay tuned for more #VismaSecurityAwareness