By the South Australian Business Chamber corporate members at the Commonwealth Bank
The reality is that many businesses are compromised not as a result of technical weaknesses, but as a result of staff being tricked. That is why it is so important to speak to your staff regularly about social engineering – what it looks like and how to react when you see it.
Social engineering attempts can come via email, SMS or even over the phone. But regardless of which channel is used, all social engineering is designed to override normal reasoning and judgement. The goal of scammers is to apply pressure in such a way that your emotions are heightened, and you act quickly to do something that, under normal conditions, you would consider more carefully.
While some social engineering campaigns may lack sophistication and be poorly targeted (adopting a scattergun approach), it only takes a small amount of research through social media, company websites or even data breach databases for a social engineer to be able to tweak their activities into a more convincing lure and increase their effectiveness.
Time is of the essence if something goes awry, so it is important to make sure your staff know what process to follow in the event something has gone wrong and that they feel supported to speak up and report quickly.
An incident management plan will help your business respond fast and efficiently. It is also a good idea to keep a paper copy of the updated plan in case you are ever locked out of your system.
Remember:
Some common types of social engineering are:
Phishing is an email scam aimed at obtaining personal information, such as usernames, passwords or bank account details by disguising as a trustworthy source. Phishing attacks may also download malicious software onto devices through a compromised attachment or website link, or direct people to a fake webpage where they’re asked to provide personal information.
Spearphishing is a phishing email that’s tailored for a particular individual, company or industry so it is more likely to be acted upon by the target.
Smishing is a phishing campaign that is delivered via text, and vishing refers to a campaign that uses a voice telephone call or message to execute.
These scams target businesses of all sizes. Using emails made to look like they are from someone you know, such as your boss, your supplier or your customer, these scams request payment to be made to an account under the scammer’s control.