Social Engineering Attacks and Your Business
By Matthew J. Tyson, IT Specialist
For a small business social engineering, which Investopedia defines as “the act of exploiting human weaknesses to gain access to personal information and protected systems”, can cause a lot of damage and even lead to business closure. For larger businesses, which have a bigger attack surface, cyberattacks can be amplified, however, these businesses tend to have the resources to protect themselves better than smaller businesses. Because of the severity of social engineering attacks and how often they occur I discuss a few different social engineering attacks and what you, as a business owner, can do to help protect your business from a successful attack.
Phishing
Phishing attacks happen through malicious emails that instruct you to click on a link or send back information that should not be disclosed, like credit card information, your social security number, or your login information for one of your online accounts, like your bank account login. These attempts are not targeting you specifically but are targeting multiple email addresses. It is called phishing because, like going fishing, the threat actor sits and waits for a person to take the bait and click the link in the email or do the action that the email wants them to do.
Spear Phishing
Spear phishing is when a phishing email is targeting you specifically. Your name is given in the email and the threat actor on the other end acts like your friend or an authority figure and tries to get information that they should not have, like login information, credit card information, or access to your computer. If you know who they are impersonating, then contact them directly by a separate email and ask if they sent the suspected phishing email. If not, let them know that a malicious person is impersonating them, and that they should file a complaint with the FBI Internet Crime Complaint Center.
Whaling
Whaling happens when a person of power, which can be the CEO of a company, gets targeted specifically by a spear phishing attack. This type of an attack, if successful, can be very damaging to a business, especially a small business.
Vishing
Vishing is the voice version of phishing, where a person with malicious intent talks to you over the phone or by using applications like Microsoft Teams and Zoom. This threat actor uses social engineering techniques to either act like an authority figure, like the FBI, IRS, Microsoft, or Norton, to a customer they are targeting. An example of this is shown in this CNN video on Instagram of a reporter being hacked through social engineering. Threat actors also try to make you feel like they are a friend or family member in an urgent situation, for example, telling you that they got into an accident or a similar situation and they need financial help immediately.
How do you know if you are being attacked through social engineering?
To know you are being attacked by social engineering, you can use the following lists of clues that you are being targeted.
Email and Voice Communication
· The person you are talking to is using urgency and/or authority.
· The person uses no specifics to identify you or the person that they may be impersonating.
· The person’s overall professionalism is very rough, and the request is incoherent.
Email Communication Only
· The email has phone numbers and email addresses, including the sender’s email address, that appear bogus. You should always check directly with the person to verify that they sent the email, since a threat actor could be impersonating them.
· The email’s formatting and grammar has issues.
· The email comes from another country, which can indicate that it is malicious. Do further investigation to make sure it is legit.
If all the above check out, but the email or voice conversation still concerns you, then get an IT professional’s feedback first. If you do not know an IT professional, then use the “when in doubt throw it out” policy and delete the email. If you constantly get emails from the same person with malicious intent, then you should contact the authorities by filing a complaint with the FBI Internet Crime Complaint Center. If the email is from a company that you have worked with in the past, then check with that company directly by visiting their website to get their contact information or by using a past contact from the company. Do not use any contact information in the email, which could be bogus and can link you directly with the person with malicious intent. Lastly, if you have older emails from the company, verify the email, including the email address, by comparing it to the older emails that you have received from the company to see if they matchup.
How do I prevent social engineering attacks on my business?
Major actions a small business owner can take are (1) training your employees, customers, and yourself, on social engineering; (2) requiring multifactor authentication, if available, on all your main online accounts; and (3) making sure the information you use to identify your customers, via phone or email, cannot be found on social media. Send your customers a support code to their email or have your customers get a support code through their online account. A threat actor would need access to your customer’s email or online account to have access to the code, unlike your customers birthdate, which can be found in multiple places and tends to be used for identification purposes. Lastly, stay alert to the threats, keep your software and hardware up-to-date, and do not be afraid to contact an IT professional about any of your cybersecurity concerns.
Social engineering is a conman threat that has been around for a long time, in one form or another, and it will never go away. It can cause a lot of damage to your small business’ image and credibility. To protect yourself and your business, always make sure you use caution when you feel you are being socially engineered either in person, over the phone, or by email. Your extra vigilance can save your business from a lot of problems and can possibly save it from going out of business.
The following are some web addresses to some helpful small business cybersecurity resources.
https://www.dhs.gov/publication/stopthinkconnect-small-business-resources
https://www.sba.gov/business-guide/manage-your-business/small-business-cybersecurity