While businesses leveraged technology to interact with their consumers in revolutionary ways over the last 18 months, so too have hackers.
Hackers can access bank accounts or intercept banking transactions, but most often, they are looking to collate your business’ and your customers’ private information, which they sell to vendors on the black market. Restoring funds, IT infrastructure, and regaining consumer trust in the wake of a security breach can be extremely expensive, with attacks costing Australian businesses $29 billion a year.
WHAT IS SOCIAL ENGINEERING?
Social Engineering describes a broad range of malicious activities achieved by manipulating individuals into providing security details and sensitive information. The hacker identifies their victim and gathers background information, which they use to gain trust and infiltrate their company entry points. Hackers then remove all traces of malware and repeat the process with their next target. Often these attacks are not detected until it is too late. Here are some of the key Digital Social Engineering techniques:
TAILGATING & BAITING
These forms of social engineering require the attacker to execute their deception in person. A hacker simply leaves behind physical redirection in the form of a URL address or a jpeg drive, e.g., in a flyer informing employees of a deal, with instructions to communicate or conduct transactions via a false website. Because the risk of identification can outweigh the reward, hackers have adopted more sophisticated methods.
Phishing scams are the most common form of Social Engineering. Phishing emails are designed to create a sense of urgency or curiosity amongst victims. For example, a hacker may send an email alerting their target to a policy violation that requires immediate action. Crafted to appear similar to correspondence the target would normally receive, the email would advise that credentials or passwords are required to action the request. Without taking precautions to ensure the information or sender is authentic, an employee may allow a hacker access to the company’s data and information. Find out more about phishing emails and browser notifications and how you can reduce the risk of an attack here.
Between February and March 2020 as businesses began working from home, spear phishing attacks increased by 667%. Spear Phishing is similar to Phishing but is tailored to an individual. This technique uses the target’s information against them, utilising characteristics, job qualifications, and their own contacts to impersonate an individual within their network. For example, an attacker may pose as a company CEO requesting an employee makes urgent purchases, process transactions, or provide details directly, enabling them to access a complete database of private information.
SAFEGUARDING YOUR ORGANISATION
A false sense of urgency coupled with the volume of correspondence flowing during business hours, can make it difficult to spot a social engineering campaign, but there are actions you can take to reduce your risk of being targeted:
- Know who is at your place of work. Employees should show credentials in the office. If you see someone you do not know, raise this with colleagues, HR, and IT. The assumption that a stranger is a customer or client can be costly.
- Be aware of information exposed to the public. Even discussing details verbally can attract a hacker’s attention, marking you as their next target.
- Educate yourself about social engineering and cyber-attacks. A good place to start is our Tips for Remote Working, Cyber Security, and Avoiding Email Scams.
- Raise awareness among employees. Foster a sense of ownership amongst your employees by helping them identify and report cyber threats.
- Take note of emails received. Should you receive an email from an unknown source, cross-check with your data and members of the company to confirm if the sender is recognised. When receiving an email from a known source, take note of the email address itself. If the email is from a hacker, minor details will often be different, like font or email signature. Do not open suspicious emails, attachments, or associated URL links and raise the issue with IT.
- Keep your software, antivirus, and anti-malware software updated.
- Multifactor authentication is one of the best ways to protect your credentials.
CYBER INSURANCE: IN THE EVENT YOUR BUSINESS IS COMPROMISED
By implementing these tips, your exposure to social engineering can be greatly reduced. It is also important to implement measures that react if your business is compromised. A cyber insurance policy can support the rebuilding of your business in the event of a cyber-attack. It provides cover for losses such as data destruction, extortion, theft, and hacking. When approaching insurers for cover against cyber attacks, underwriters will consider if your business has the following risk mitigation measures in place:
- Encryption of sensitive data
- A Cyber Incident Response Plan
- Data backup and recovery procedures
- Business Continuity and/or Disaster Recovery Plans
- Software patching procedures
- Antivirus and firewalls.
Therefore, providing evidence that your business has taken action to limit its cyber risk exposure can reduce the cost of insurance.
To discuss your business’ cyber risk exposures and security needs, please feel free to reach out at any time.
Client Executive – Global
Discover more about cyber insurance.