Limiting the harm caused by social engineering

As 2021 draws to an end, the world has seen unprecedented levels of cyber attacks, especially in the form of ransomware

From assaults on various water supply companies and oil and gas providers, to criminals bringing critical health service in Ireland to its knees, there have been some extremely high-profile examples.  

Businesses of any size are objectives for undiscriminating cybercriminals who leverage social engineering and phishing techniques to target the workforce and, ultimately, breach organisations. In fact, research shows in 2020 alone, $18 billion was paid globally in ransom and total costs were in the hundreds of billions of dollars. While other studies state ransomware will cost $20 billion in 2021, estimated to grow to $256 billion in damages by 2031. 

But how does ransomware keep being so successful? KnowBe4 evaluated the top root cause for ransomware and found social engineering by far allowed ransomware to get into organisations most often. This includes tactics like phishing, vishing, Business Email Compromise (BEC) scams and any tricks a hacker can use to get employees to click on a malicious link. Therefore, security teams must take the necessary preventative steps to stop hackers from duping employees, entering the perimeter and stealing sensitive information. 

Top tactics 

Research showed that employees are being tricked by HR-themed phishing attacks, with a significant rise in phishing email attacks that are related to new policies that would affect all employees. Sample subject lines include: “Vacation Policy Update”, “Important: Dress Code Changes” and “Remote Working Satisfaction Survey”.  

Indeed, the HR department itself needs to be especially wary of BEC scams. These highly successful attacks involve cybercriminals sending correspondence pretending to be a CEO or a senior member of the company or at a business partner. Typically, those who are targeted have access to company finances with cybercriminals tailoring their emails to trick the worker into transferring money to bank accounts thought to be associated with the so-called “trusted individual.”  

In one particularly brazen scam, hackers impersonate existing employees to request bank accounts to be updated for their salaries. If successful, at the end of the month, the salaries are then deposited into the hacker’s account. By making direct contact with the HR or Finance department, the attacker is avoiding any third-party security systems – allowing them to control the situation. Depending on when the employee checks their accounts, this scam could last for weeks or months.  

Damage control on social engineering 

Simply increasing spend to purchase the latest security tools to try and solve the problem will not work – these attacks prey on people’s behaviour. Therefore, a strategy and process that improves the general security awareness and culture of the organisation is required. 

Furthermore, a mindset change is also needed. Many will view the workforce as an area of weakness, but start seeing them as the organisation’s biggest asset! 

To kick start the training process, there are many free training materials including videos, checklists, advisory articles and templates to follow that are readily available online. Other free tools available include ransomware and phishing simulators that can help test the preparedness of the business to deal with such situations. There are online password checkers that can grade the strength of details used to log into accounts and you can find a vast amount of free security hygiene and best practice modules to help educate the wider workforce.  

These free tools will not have the top-tier capabilities that you would find with a subscription or a managed service, but it is a good place to start. If nothing else, it will help the company see what works for them and introduce staff to security threats in order to reduce the risk of them succumbing to such threats.  

Anticipating threats 

Employees who hold positions of power or influence, whether it be the CEO or individuals in the HR and Finance departments, will always be high on the list of targets for hackers. It is up to the IT and Security departments to create a well-designed security strategy that combines people, processes and technology to effectively protect these individuals and the wider organisation.  

By concentrating efforts on raising the security awareness levels of the workforce, it will yield the greatest potential for change in the fight against social engineering threats. People can be the biggest asset in identifying and reporting fraud, they just need the right environment to learn and develop. Once this training is provided, before you know it, employees are more vigilant and the level of risk to the organisation has been significantly reduced.  #

About the Author

Javvad Malik is lead security awareness advocate at KnowBe4. KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering.

Featured image: ©Maksim Smeljov