Picture it: an email comes in from your boss asking you to process a transfer for a large sum of money.
Perhaps that would be unheard of in your role, and the alarms of potential fraud would immediately go off in your head. But there are plenty of business employees who regularly transfer funds as part of their job.
If you had that kind of role at a company, what safeguards would you have in place to make sure the request was legitimate? Calling your boss seems logical, but once you’re asked to make enough transfers in a day, that kind of verification can get you backlogged in a big way.
As it turns out, requests like these are just one of the dozen common ways cybercriminals try to dupe employees. These cybercriminals, when impersonating legitimate senders and requests, are known as social engineers.
Most businesses are aware of the threat of cyber-attacks than ever before. But do you know how to protect your business against them?
What are the most common types of social engineering?
It’s important to educate and re-educate business personnel on cybercrime, because it’s constantly evolving. Today, the most common types of cybercrime include:
- Phishing: this is a classic form of social engineering where a criminal pretends to be a legitimate sender via email, text or call.
- Baiting: this is where a criminal tries to entice someone to exchange personal data or login information for something in exchange.
- Tailgating: this is a frightening type of in-the-flesh social engineering where someone tries to physically follow an employee into a restricted area.
- Whaling attack: this is where criminals target the “bigger fish” among private business leadership.
- Watering hole: this is a state-sponsored attack via a public website that attracts targeted individuals.
What’s a business to do?
Take these steps to protect yourself as well as your clients and your business:
- Use multi-factor authentication (MFA) – this requires a password and another factor like facial recognition or a secret PIN.
- Verify the sender’s identity – always look at the email address and ensure that messages are coming from the right domain. The more sensitive the request, the more steps you should take to ensure that the sender really is who s/he says.
- Identify critical assets – know what kind of data or assets in your business criminals could be after. What kinds of sensitive information do you store about clients? What information about your employees do you store in personnel files? What data do you use the most to do business that could be held at ransom by a cybercriminal?
- Continuously monitor – know what your critical systems are and monitor them for any unusual activity, and scan them regularly for viruses even when you don’t observe problems.
The best approach to protect you, your clients and your business against social engineering is a proactive approach. It’s about protecting yourself from threats so you never have to see what it takes to fall into “damage control” after an attack has already taken place.
Not sure how you’re going to monitor your critical systems against these threats? Contact us to get started.