You can have the best security system in the world, but if your employees don’t follow its protocols, it won’t be able to protect your most sensitive information. That’s because cyber criminals are ready to exploit the weaknesses in your system – usually the humans involved – as they rely on the familiar ways of infiltration, such as phishing and malware.
Just because you have security software does not mean you’re safe from threats. While any company’s biggest asset is its employees, they are also unfortunately its weakest link when it comes to security. Your employees are your first line of defense, but attackers love to exploit human interest and curiosity. They use social engineering to manipulate and trick targeted victims into giving them your passwords or banking information, or access to your computer to secretly install malicious software that gives them complete access to your passwords and other classified, restricted and financial information, and even control over your computer. Ransomware, malicious software that blocks a user’s access to a computer system until a sum of money – a ransom – is paid, also falls under this category. Criminals love social engineering tactics because it is easier to exploit the natural human inclination to trust than to figure out how to hack into your system. Even criminals don’t want to work that hard.
How do you and your organization protect themselves against attacks such as these? Since social engineering tactics prey on your trust, the key is knowing who and what to trust. Security professionals will tell you the weakest link is the person who accepts another person or scenario at face value. It doesn’t matter if you have a security system worthy of Fort Knox, if an employee falls for a phishing email and gives out his computer password, he’s just exposed you and your organization to whatever threats the phisher represents.
Two of the most common social engineering tactics used are friendly email and phishing. With friendly email, criminals will hack into email and gain access to all the user’s contacts, sending malicious links to everyone on the list…including you. Since you recognize the email address, you open it and end up unintentionally installing malware on your computer that gives the criminal access to your system. Sometimes they will include links to a webpage or video with a caption like “you have to see this!” or they may tell a story, like that of a friend or relative stuck in a foreign country and in dire need of money to get out of their sticky situation, complete with directions on how to send money – straight to the wallet of the criminal.
We have all received emails that appear to be from legitimate organizations, stating that our accounts need to be updated and if we don’t provide our log in (or banking information, if it is a paid service) within a certain period of time, our account will be shut down. This is called phishing, and it is designed to scare you into handing over your information. Sometimes the emails – and increasingly, phone calls – will say you’ve won some sort of prize, and you just need to provide your banking information to receive the prize. No legitimate organization will ever ask for your password, social security number, banking information, etc. in an email. If you are ever in doubt, contact the organization that supposedly sent the email and ask them if they sent it.
So, how do you avoid becoming a victim of social engineering?
- Be suspicious of unsolicited emails. If it appears to be from a company with which you do business, contact that company and ask if they sent it.
- Do not respond to requests for passwords or financial information. They are all scams. Just delete them.
- Check the URL’s and email domains. An email from your bank won’t have the domain “@momsinbox.com.” Although criminals are often more savvy than that, using domains and URLs that mimic a company’s real ones. Don’t be afraid to Google them if you are unsure.
- Don’t download. If you don’t know the sender, or if you do and are not expecting a file from them, do not download until you confirm that person sent a document to you.
- All foreign offers are fake. No, sorry, but the Nigerian prince isn’t going to split his $50 million fortune with you if you open a bank account in your name, allow him to “deposit” the money and then send him his half – via Western Union money transfer.
- Set spam filters to “high.” Sure, some legitimate email will get caught in the spam filter, but it’s better to be safe than sorry. Check your spam folder periodically for the stray legit email.
- Make sure your devices are secure. It is imperative that you keep all security software up to date, installing all updates and new versions when they are offered.
Nothing will keep you completely, 100 percent safe, but educating yourself and your employees about the risks and using the tactics above – and keeping your own personal suspicion meter set at “high” – will go a long way towards giving you a good chance of keeping attacks to a minimum.