How aware are you when it comes to social engineering?
Posted on April 27, 2022 by Rob May
Cybercrime is huge; indeed, no other criminal activity is quite so lucrative, thus it is imperative that you prepare and protect both your business and your personal life to mitigate the inconvenience and the cost of an attack.
There are some basic hygiene factors that every business needs to have in place. Firstly, ensure that you have appropriate insurance cover and that you understand what this is and the terms and conditions. Secondly, cybersecurity training is essential at every level of the business from the boardroom to the factory floor, indeed the ICO guidelines now say that training for new employees must happen within 30 days of starting their employment (plus before they access client data) and that it’s repeated at least annually.
Any training program you undertake should include appropriate content exploring the many different strategies deployed by social engineers (one of the prevalent forms of attack).
Social Engineers trick and manipulate their victims to do something which is not in their best interests (giving away passwords, banking info or allowing access) using techniques which provide enough pieces of the jigsaw, that decisions are made using sub-conscious thinking, as opposed to rational, logical conscious thinking.
At ramsac we focus on five areas of social engineering.
The first is Phishing, and most people are familiar with the concept of this, it uses email activity to trick the target. There are multiple techniques and categories of phishing including Whaling (or CEO Crime) and MITM ‘man in the middle’ strikes.
Second is Vishing, this is voice solicitation, and the challenger will make a phone call pretending to be the bank, law enforcement, HMRC etc. Often spoofing the phone number they are calling from to make it look like a number you are expecting (even your own office number!).
Third is Smishing, this is like phishing but using SMS or Text messages to trick the target. The average UK adult receives 9 smishing attempts each month on average, pretending to be DPD, The Post Office, Amazon etc. This is tricky because unlike phishing you can’t however the mouse of a smishing link to see if the URL offers any clues.
Fourth is Qrishing, this method tricks someone by getting them to scan a QR Code, this problem increased no end during Covid as more people became used to scanning into a venue, the problem is that it’s easy to print a dodgy QR code and stick it over a legitimate one. When someone open the QR code they get taken to a website designed to cause digital harm.
Finally, we must discuss with our teams the problem of Impersonation. The Cyber Criminal can save a lot of time trying to break into sophisticated IT security by simply getting inside the targets office building. This might simply be by sending the target USB keys and getting them to do the work for them, however, dressing as a supplier and walking into a building is unfortunately too easy for many. The concept of hiding in plain sight has never been truer and wearing a high-viz jacket and carrying a clipboard opens far too many doors. Some criminals will pretend to be the company that change your sanitary waste bins, the question is, if someone appropriately dressed walked in to your reception with two waste bins under their arms, how many people in your organisation would stop to question, identify or talk to them?
It doesn’t matter who you are or what your business does, you will eventually be the victim of a cybersecurity attack, thinking that it won’t happen to you is simply naive. Please ensure that you give sufficient time to understand the risks, practice your defence and engage with experts to ensure that you, your business, family and loved ones stay as safe as possible.
Rob May is Managing Director of ramsac who have specialised in cybersecurity and strategic technology for the last 30 years. He is also a Speaker, Author, UK Ambassador for CyberSecurity with the IoD and on the Board of The Cyber Resilience Centre in the South East (a collaboration between Business, Academia and Law Enforcement).
Cyber Resilience Certification
Looking for more information on how the Cyber Resilience Certification can improve your cybersecurity protection for your organisation? Download our factsheet.