Protecting your organization’s most valuable data isn’t merely a matter of having the latest, up-to-date security technology (although it helps!) In fact, IBM reports that 95% of successful cyber attacks are caused by human error.
That’s right—when it comes to data leaks, ransomware, and all the other potentially-crippling threats out there, unwitting staff members are typically the cause of the breach.
What can organization leaders do to reduce the risk? It starts with knowing the most common techniques bad actors use to exploit this common risk. Taking steps to mitigate these potential causes ahead of time can save massive amounts of time and money by avoiding an attack.
The Social Engineering Threat
Criminals gain access into systems by manipulating the trust of users, who typically aren’t aware anything is amiss. It’s often well-after these risky actions are taken that individuals or teams realize what has occurred, and by then it’s too late to revert to normal.
These threats—which use human psychology to achieve nefarious goals—are known as social engineering. The attempts are so prevalent that you’ve likely come across some social engineering attempt online, or even fallen victim to one without realizing it. Regardless, social engineering attacks typically fall into a few categories, including the following three to watch out for in 2022.
You’re walking through the company parking lot when day when you spot a USB flash drive lying on the concrete. What are the odds that you pick up the device and plug it into your work computer, just to see what’s on it?
If you were one of the officials tested by the Department of Homeland Security, you had about a 60% chance of putting curiosity ahead of cybersecurity. And if that flash drive had an official logo on the side, the risk increased—90% of employees plugged in these devices.
If more than half of Homeland Security officials—experts in cybersecurity, one would imagine—are willing to take the risk, imagine what an average worker could be compelled to do. Leaving such devices outside of the target’s building are one way to engage in baiting, which is exactly what it sounds like. Hackers leave physical media somewhere for the target to find it, then rely on their natural curiosity to create a security breach.
Physical media may not be as prevalent as it once was, so understanding the risk of online baiting is essential as well. Enticing advertisements and free downloads are often not what they seem, and should be avoided by those looking to keep their networks and devices safe.
You receive a call from someone you haven’t worked with before in your organization. While you’re unfamiliar with this person, you quickly check them in the company directory. Their job title and name check out, and all they’re asking is to verify some general information with you. You provide it and they thank you, sounding relieved.
Only later do you realize the phone number they called from isn’t the one listed in the company directory, or was blocked entirely. This kind of scam, known as pretexting, can take many different forms and come via email, phone, IM or virtually any other communication channel.
The deception relies on establishing trust with the victim by acting as an authority figure, such as a tax official or law enforcement agent. Oftentimes the questions are posed ‘merely’ to establish identity, when in reality the records gather is the point itself. People will give up addresses, phone numbers, security numbers and even secret information if the pretexting is successful.
Be skeptical of communication attempts from numbers, accounts, or individuals you haven’t heard from before. It’s often a good idea to send a verification email when receiving a phone call, or checking with the person directly. Never give any information to someone you can’t verify is legitimate, and even then, official channels with approval are best to avoid any momentary lapse that causes a long-term issue.
You receive an email informing you that your account has been breached and you need to change your password immediately to avoid disaster. Panicked, you quickly click the very large “change password” link, input your former password and your new password, and receive a follow-up email thanking you for staying secure.
Everything probably looked legitimate, from the email to the website you used to change your password. Behind the scenes, however, hackers have used this information to gain further access into your network.
It’s called phishing because the nefarious party will often send out hundreds or thousands of such links across an organization, seeking one person to fall for the hook. Spear phishing is more targeted—they may try to deceive you by mimicking the wording and style of a trusted coworker, boss, or IT head, while a general phishing attempt relies more on volume and urgency.
Fighting phishing and spear phishing attempts looks a lot like avoiding baiting and pretexting. Always verify any suspicious correspondence with the sender, preferably in a way that doesn’t expose any data. Keep your cybersecurity software up-to-date and regularly engage in training across your organization. It’s much better to have an employee fall for a fake phishing attempt than a real one, after all!
Improve Your Cybersecurity with Tangoe
Strong oversight of your communications can help protect your team from bad actors. Learn more about how Device-as-a-Service (DaaS) and Unified Communications as a Service (UCaaS) can keep security software up to date and provide holistic oversight on our product pages, or contact us today to learn more.