Traditionally, cyber security has been seen as an IT department’s problem. They make sure everyone has antivirus on their PCs and take care of the firewall – and as long as they’re doing it right, then everyone else is safe… right? This has lulled users and business owners into a false sense of security of late, believing that cyber security simply isn’t their area or that it’s not in their job description. However, this attitude is now being taken advantage of in a big way by cyber criminals, who have discovered that individual users are much easier to target and deceive. As a result, users often takes actions which inadvertently allows the hackers to bypass the IT security systems. Traditional antivirus is dead, and even more advanced next-generation antivirus simply can’t stop the most deadly attacks. Now, everyone in an organisation has a part to play in keeping it secure, from the bottom all the way up to the CEO.
Social Engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear-phishing and CEO Fraud are all examples.
Hoes does it work? It is often as simple as an email asking you to view an invoice, check out suspicious logins on your account, or even update your password. Cyber criminals will make these emails look as legitimate as possible, and then use social engineering to convince you to carry out the action without second-guessing the action. In more advances attack, such as spear-phishing, the emails may even appear to come from within your organisation. All of this is to convince you to do something that would allow hackers to infect your PC with ransomware or other forms of malware. Often, criminals will attempt to convince you that their email is ‘urgent’, and that something bad will happen if you do not click the link, such as you being locked out of one of your accounts. This tone of urgency is a classic social engineering ploy, and is big factor to look out for when you suspect an email may not be legitimate.
Remember: Always Think Before You Click
“Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.”
Gone are the days when the only phishing threats were from poorly spelled emails asking you to claim Clubcard points. With the cybercrime-as-a-service (CaaS) industry estimated to be worth in the billions each year, cyber criminals are becoming increasingly organised in the way they implement their attacks. Instead of sending out random emails and hoping for the best, spear-phishing involves researching a particular organisation, probing for weaknesses, then sending highly targeted, personal phishing emails. These emails may appear as if they come from your CEO, or IT manager, or even the colleague that sits next to you. It is estimated that over 90% of successful data breaches by cyber criminals started with a spear-phishing attack. The best means of prevention is to implement an ongoing cyber security awareness program, as trained staff can detect and block spear phishing attacks before it’s too late.