Believe it or not, the vast majority of all cyber attacks in the modern era still occur for the same reason: they’re the result of your current employees.
Now, while it’s true that some of these attacks are an inside job, such as an employee who is leaving your company taking as much proprietary data as they can with them, this isn’t always the case. Instead, most people simply fall victim to the same basic strategy: social engineering.
Social engineering occurs when someone with malicious intentions manipulates an employee into giving up confidential information, so they can then use it to their advantage. The classic example of this is a phishing email. An employee gets an email that pretends to be legitimate, asking for information that should never be transferred via such an unsecured method. But because it looks like it’s from a client or from company leadership, the employee thinks nothing of it and provides bank account information or usernames and passwords. By the time anyone realizes that there is a problem, the damage has already been done.
It’s absolutely true that these types of attacks are becoming more common, but thankfully, they’re also easy to fight. If you truly want to help your employees avoid social engineering attacks on the internet and build a stronger security structure in the process, there are a number of important things to keep in mind.
Defeating Social Engineering: An Overview
By far, the best way to help your employees defeat social engineering attacks involves making sure they understand what they look like in the first place.
Oftentimes, they will come by way of an email from someone familiar – either a colleague at work, a client, or some other “friendly” face. Usually this is the result of a successful social engineering attack that has already taken place. The sender’s email address may have been compromised without realizing it.
In most cases, these messages will contain a link that the sender wants the recipient to click. Because the recipient is supposedly getting a message from someone they know, they don’t think anything of it and click. At this point, malware is downloaded and that cyber actor then has access to the recipient’s machine.
Sometimes, those messages will contain a file that the recipient is being asked to download. This could be a “work document,” a movie or music file, a picture – you name it. Regardless, the end result is the same: that file has malware embedded in it. Once it is downloaded to the machine and executed, that entire workstation has been compromised.
Read Emails Carefully Before Replying
One of the ways to help people avoid these situations involves teaching them to pay close attention to the message itself. Social engineering is successful because it’s so straightforward. Thankfully the solution to avoiding it is equally so.
In a lot of these situations, someone will get a message asking for fast, urgent help. It’ll say that a problem has come up and that needs immediate assistance in order to solve it. Typically, if that were the case, the sender would probably pick up the phone and make a call. Many of these messages outline some type of problem with an account that requires the recipient to verify information. There might be a financial “problem” that can be fixed by clicking the included link and verifying their username and password. Of course, that’s never what happens. The link in that email went to an illegitimate website. Once that username and password have been shared, they’ve essentially been handed over to hackers.
Unfortunately, another trend has to do with asking people to donate to some type of charity or other “worthy cause.” People naturally want to help others, especially during trying times like these. So they enter financial information into a website that turns out to be illegitimate, thus giving that data to hackers at the same time.
It’s Okay to Take Your Time
In the end, employees need to know that the most important thing they can do is slow down. Before they click a link or download an attachment, think for a moment about whether or not the request makes sense in the first place. If a client sends an email claiming to have an urgent problem, rather than following the directions of the email, it’s probably better to call them directly instead. Don’t download files and attachments from senders that you’re unfamiliar with, and never click a link that you’re not 100% confident in. If employees are able to remember these tips, they’ll come out all the better because of them.