Understanding Social Engineering: How to Avoid Phishing Attacks
In the context of information technology, social engineering refers to the act of tricking people into divulging confidential or sensitive business information, and breaking security policies. This form of attack infiltrates companies by targeting their weakest access point, which predominantly is a firm’s employees.
The Art of the Phishing Con
Let’s examine a popular technique for social engineering known as phishing. In a phishing scheme, the hacker broadly disseminates a fraudulent email with aim to acquire sensitive data, such as, login credentials, IT resources or banking information. The message may request the recipient to submit personal information or to click on a link embedded with malware. Although this approach rarely dupes sophisticated users, a distracted employee could make one mistake and compromise a firm’s entire network.
Similar to the above-mentioned security threat, and on the rise in the industry, is spear phishing. This technique entails a much more targeted approach, and increasingly, is being used in the form of sophisticated bank wiring schemes. For example, in March 2015, the CFO of a hedge fund misguidedly wired $1.5 million to criminals after experiencing such an attack.
In a spear phishing incident, criminals target specific companies or individuals and conduct background research to compile employee names, titles and contact information. Social networks are common resources crawled for this information. Obtaining such details and observing communications provides criminals with the tools to mirror email addresses, website URLs and dialect. The end result is the criminal’s identity masqueraded as a legitimate, trustworthy source.
How to Not Get Hooked
What can your firm do to defend its network against phishing attacks? From employing proper security measures, to cyber security training and to Written Information Security Plans (WISPs), it’s vital that financial firms form comprehensive security programs. Regarding email, eSentire suggests utilizing asymmetric encryption solutions, which offer digital signatures that can be validated by the recipient. eSentire also recommends that mandating sensitive actions to require two-factor authorization will help enhance internal security measures, for example: a phone call using a pre-shared number, which is external to the email, to confirm the message's legitimacy.
The reality is everyone is a target, and firms should train employees to recognize social engineering techniques. The differentiating factor between an authentic and fraudulent message could come down to one inversed letter. Prudence of employees in conjunction with a honed adeptness for security is one of the greatest defenses to help thwart attacks. Essentially the key to your firm’s network, it is crucial that employees scrutinize any email that inquires for information regarding login credentials and bank/wire transfers.
You might also like these articles:
Video Series: SEC Cybersecurity Update in 90 Seconds
Photo Credit: Google