No business is safe from social engineering attacks, that includes small businesses. Believing that their company isn’t a possible target is the first mistake that makes small businesses vulnerable. They assume that cyber attackers are only looking at large corporations as prey. True, these big companies provide a bigger target, but cyber attackers don’t discriminate. One should also take into consideration that if there are small businesses, there are also small-time hackers who are just trying to make a quick buck. There are also cyber attackers who are banking on small businesses’ lack of security systems, and so they carry out social engineering attacks on as many small businesses as possible. Every small business should keep in mind that hackers don’t discriminate.
The Most Common Social Engineering Attacks
Perhaps the most common of social engineering attacks, phishing means drawing out information from a person or business in order to scam them. If it sounds like fishing, that’s because it is exactly what it is — luring the victim into voluntarily giving their personal information that could be used in scams. Personal information includes names, addresses, e-mail passwords, social security numbers, and credit card numbers.
While a lot of people have heard of the term phishing, some still fall victim to it because of the notion that they are too smart to succumb to such manipulation. What they don’t realize is that phishing sometimes looks all too real. One common phishing method is when an email is embedded with a link that redirects a person to a dubious website that appears legitimate. Since the site looks genuine, then the person will innocently provide their personal information to the fake website.
Another method used is when the cyber attacker sends an email from an email address with the name of a large and credible company. One could easily think that such a large corporation would never be low enough as to prank a small business. That’s exactly how scam works: these scammers make it look legitimate. The same tactic is often attempted over the phone.
Here are ways for you to protect your company from phishing attacks:
- Education. Every business owner must inform their employees about what phishing is and how it could happen.
- Online filter. Install an online filter that can detect e-mails that carry viruses or blank messages, as well as spot fishy websites.
- Security programs. Computer systems should always have the latest security programs.
- Updated anti-virus. Install anti-virus systems and keep them up-to-date.
- Encrypted output. Make sure outputs from employees (who are working from home) are encrypted.
Every entrepreneur should also be updated about the current trends in phishing. Businesses should always know what they are up against as hackers up their game. It is not cheap to be a phishing victim. According to the 2017 Internet Crime Report from the Federal Bureau of Investigation, 35,344 entities fell victim to phishing that year. It was the third most common Internet crime that year, just behind non-payment / non-delivery scams and personal data breaches. The total loss from phishing in 2017 was pegged at $29,703,421.
While a bit similar to phishing, this scam is called pretexting because the cyber attacker reaches out to the victim under the pretext of good intention. One common method among pretexters is when they call a victim saying they are doing a survey. The pretexter asks a few questions that seem legitimate. Next, they solicit from their would-be victims more personal information about them. These sensitive data are then used by scammers to steal the victim’s identity.
Another method is by way of a raffle promo. The pretexter calls, texts, or sends an email to the victim about him winning a raffle promo. But before the prize is claimed, the victim is asked to release some of his personal information. When targeting SMEs, the pretexter may try to offer the company some “good to be true” deals on supplies or services.
If you’re a business owner, here are ways to protect your organization from pretexting:
- Educate your employees. If employees know what they are up against, then they can discern pretexters and avoid releasing personal data to suspicious people.
- Never release important company information. One could just tell the person on the other end that the basic company information is available publicly, on the company’s website. But if they want more details, they can leave their contact information and a representative from the company will get back to them. Most pretexters would no longer proceed when one asks for their contact details.
Pretexting generally leads to identity theft and / or fraud, which are consistently on the rise in the U.S. According to Javelin’s 2018 Identity Fraud Report, there were 16.7 million people who fell victim to identity fraud in 2017, which is eight percent higher compared to the previous year. The amount stolen had reached $16.8 billion.
This is basically just like phishing. Common examples are the offer of free downloads (movies, audio files, e-books, and the likes). But in order for the victim to get the “free” download, he or she should login to the site and input some personal identification. Another method comes in the form of a software update.
Curiosity often leads to easy baiting. A 2006 experiment showed how curiosity is used to easily con people. USB drives were used as bait and scattered around areas that were usually frequented by employees. The employees were just too curious to let go of the USB drives that they not only picked them up, they actually also plugged them into their computers.
Here are ways to protect the business from baiting:
- Education. Obviously, if all employees know what baiting is and what possible methods there are, they will not fall victims to it. Employees should learn that while curiosity sometimes leads to discovery, it is not always a good thing. They should be cautious all the time.
- Be wary of anything good being offered for free. Anything free should be validated and any entity offering anything for free should be verified.
Baiting is also known as Quid Pro Quo, wherein the attacker offers something in return for personal information. Many times, this happens when cyber attackers assume the personality of the IT person and assist the victim with any kind of computer problems they may be facing at that time.
In layman’s terms, tailgating is when one is driving too close to the vehicle in front. In social engineering, tailgating is trying to be familiar with a person from the inside of the company in order to gain access. One common method of tailgating, which is often seen in movies, is when a person (a.k.a. the criminal) waits until an employee opens the door to the company building. The criminal then calls out for the employee to hold the door so he can go in. And that’s how the attacker gains access.
Large companies have sophisticated security systems or a front desk that often checks appointments. Small businesses, on the other hand, are more vulnerable. One well-mannered employee could easily provide access to a tailgater who could then gain access to sensitive information using company data.
Here are ways to protect the business from tailgating:
- Invest in an identification system that not only limits access to offices but also tracks an employee’s time in and out.
- Install automatic locks on computers so that whenever there is no activity on them, they automatically enter sleep mode and cannot be accessed again without a password.
No matter how small the business is, every entrepreneur should stay one step ahead of any social engineering attack. According to Verizon’s 2018 Data Breach Investigations Report, every business owner has the responsibility to protect his or her company. Every entrepreneur should make it hard for criminals to crack the company’s security system.
Effective security doesn’t come cheap, but it is a good investment. Didn’t the doctor say that an ounce of prevention is better than a pound of cure? In the case of a business, a social engineering scam could cost the company more money than the cost of investing in a practical software solution or two. Other smart computer investments include security filters that sift out fraudulent e-mails. But then again, cyber attackers are so smart that some e-mails can pass through these filters with flying colors.
Even more important is that everyone in the company is aware of the various social engineering attack methods. Awareness is key — awareness that not all e-mails should be replied to or given attention. Employees should also know that not all links should be clicked. This is why every business owner should also invest in a regular security training program for all employees – as criminals are also continuously sharpening their methods. Every year, new methods of carrying out social engineering attacks crop up, and all employees should learn about these developments.
All it takes is one employee to make a mistake and fall victim to a social engineering attack, and the whole company could become vulnerable. So, every entrepreneur should protect their business by arming employees with technical knowledge and implementing adequate security policies and programs.