Are your staff prepared against the cybercrime of 'social engineering'?

By the South Australian Business Chamber corporate members at the Commonwealth Bank

The reality is that many businesses are compromised not as a result of technical weaknesses, but as a result of staff being tricked. That is why it is so important to speak to your staff regularly about social engineering – what it looks like and how to react when you see it.

How does social engineering play out, and what are the consequences? 

Social engineering attempts can come via email, SMS or even over the phone. But regardless of which channel is used, all social engineering is designed to override normal reasoning and judgement. The goal of scammers is to apply pressure in such a way that your emotions are heightened, and you act quickly to do something that, under normal conditions, you would consider more carefully.

While some social engineering campaigns may lack sophistication and be poorly targeted (adopting a scattergun approach), it only takes a small amount of research through social media, company websites or even data breach databases for a social engineer to be able to tweak their activities into a more convincing lure and increase their effectiveness.

Top tips to help protect your organisation:

1. Before you make a first-time payment for any amount you’re not prepared to lose, call the person or organisation you’re paying on a trusted number.
2. Ensure all your accounts, especially your email accounts, have strong, unique passwords and are set up with multi-factor authentication where available.
3. Set up a payments approval process for your business, preferably requiring multiple approvers, with no exceptions.
4. Encourage a culture where staff are comfortable to question a payment instruction even if it’s from a senior executive.

What to do if something goes wrong?

Time is of the essence if something goes awry, so it is important to make sure your staff know what process to follow in the event something has gone wrong and that they feel supported to speak up and report quickly.

An incident management plan will help your business respond fast and efficiently. It is also a good idea to keep a paper copy of the updated plan in case you are ever locked out of your system.

Remember:

• contact your bank if you have given financial details to a scammer or anyone you are not sure should have them
• If you have made a payment to a scammer, contact your financial institution and make an official report to police
• if you have been impacted by cybercrime, you should also report it to the Australian Government’s ReportCyber service
• report other scams to Scamwatch.

Some common types of social engineering are:

Phishing and spearphishing

Phishing is an email scam aimed at obtaining personal information, such as usernames, passwords or bank account details by disguising as a trustworthy source. Phishing attacks may also download malicious software onto devices through a compromised attachment or website link, or direct people to a fake webpage where they’re asked to provide personal information.

Spearphishing is a phishing email that’s tailored for a particular individual, company or industry so it is more likely to be acted upon by the target.

Smishing and vishing 

Smishing is a phishing campaign that is delivered via text, and vishing refers to a campaign that uses a voice telephone call or message to execute.

Business email scams 

These scams target businesses of all sizes. Using emails made to look like they are from someone you know, such as your boss, your supplier or your customer, these scams request payment to be made to an account under the scammer’s control.

Keep reading to find out more >