4 Tips to Combat Phishing, Social Engineering + Webinar Replay

Phishing scams are on the rise posing a real threat to firms worldwide. Therefore, it is imperative that firms and their associates are well equipped to protect sensitive information.

In a recent webinar, Eze Castle Integration’s Senior Product Manager Steve Banda and Product Manager Evelyn Villemaire shared insights around the threat landscape affecting firms. They also let listeners in on some top tips to combat phishing and social engineering. Below is a summary of the content covered as well as the full webinar replay.

Cyber Threat Landscape

It is important that firms identify the different forms of intruder attacks that could affect them, and the unique measures used to combat each type effectively. Threats include:

• Physical security attacks

• Malware software

• Social engineering

• External hacking and denial-of-service (DoS) attacks

• Insider data leakage and theft

• Mobile device theft

Social Engineering and Phishing

Social engineering is when human trust is exploited to obtain sensitive information. Phishing is the most common form, where attacks tend to stem from email, telephone or text messages.

• 73% of breaches are financially motivated

• 66% of malware is installed via malicious email attachments

• Social engineering methods are used in 43% of all breaches

Other deceptive social engineering methods used to target firms are not limited to, but include:

Pretexting – this could be a phone call where a person lies about their identify to encourage sensitive data to be shared.

Water holing – a strategic attack on a planned group of individuals within a firm, or individuals across organisations that fall under a specific industry, to gain access to specific data.

Tailgating – when an associate with secure access to remote areas within an organisation, or an event, is followed by someone without this access, to obtain access to confidential information.

Vishing – This is voice phishing, and commonly an automated call asking the person at the receiving end to use their phone to select options based on the questions being asked.

Social Engineering Life Cycle

Intruder attacks are most often strategic and well planned, consisting of four phases:

1. Investigation – this is where the hacker identifies their victim(s), conduct research on them, and select appropriate attack method(s)

2. Hook – target firms are engaged and deceived

3. Play – information is obtained over a period and the attack is executed

4. Exit – the interaction is brought to a natural end and all traces of malware are removed to cover tracks

Phishing Scam Case Study

Target: 31 terabytes of data were stolen from 144 American universities, 36 American companies, 5 American government agencies.

The attack: Nine people were involved in planning and carrying out the attack, using phishing emails spoofing professor names.

Motivation: The data was stolen with financial motivations, and sold to Iranian public universities for $3.4 billion.

Four Proactive Tips

Firms should follow these four tips to protect themselves from social engineering attacks:

1. Evaluate available security safeguards

2. Conduct security training

3. Establish an incident response program

4. Emphasise a culture of security

It’s always better to be safe than to be sorry. 

Take a look at the full webinar replay to hear more of Eze Castle Integration’s top tips to avoid becoming victim to phishing and social engineering.