Many business owners put an enterprise disaster recovery plan in place and then assume they don’t need to worry about teaching themselves or their staff about potential attack vectors. While disaster recovery solutions certainly can get you back up and running in record time if your business is hit with a data breach or ransomware attack, it’s far more efficient to avoid falling victim to such events in the first place. One of the best ways to do this is to ensure you and your team are trained to recognize social engineering attacks, no matter what form they take.
To get you started, here are the six most common social engineering attacks being deployed in the 2020s:
1. Phishing attacks
Most people have heard of phishing attacks, but our growing knowledge only inspires hackers to become more sophisticated in their approach. Your employees may know not to click on suspicious links in emails, but what happens if they’re in a rush and an email looks all the world like it came from your IT department? This is precisely what happened to employees at Twilio, who were targeted by an SMS-based phishing attack (also known as smishing).
While not all Twilio staff fell for the fake SMS message, the problem is that it only takes one. Would your whole team be able to tell the difference between a genuine SMS from the IT department and a phishing scam?
2. Bait and switch
The general concept of a bait and switch has been around for as long as humans have been scamming each other. In the digital world, it involves offering the target something of value in the hopes that their desire for it will cloud their judgment. Once they take the bait, their device is infected with malware.
3. Business Email Compromise (BEC) attacks
This attack vector tends to follow one of three lines. If the hackers don’t have access to a compromised email account, they may simply impersonate one of your clients or suppliers, asking for you to update payment information or provide sensitive information.
If the hackers have managed to compromise an email account, they can get even more devious with BECs. They may use the compromised account to send out malicious code from a trusted address. Thread hacking is a popular way to do this as we tend to have our guard down when conversing with someone in a pre-established thread.
4. Internal attacks
While it’s important to maintain trust and avoid being paranoid about your team members, it also pays to understand that social engineering attacks can come from within. Though he was ostensibly working for the greater good, Edward Snowden still provides the perfect paradigm case for an internal attack. In his position of trust, he was able to obtain the credentials of his colleagues without arousing any suspicion. We all know how that worked out for the NSA.
5. Personalized attacks
The creepiest of all attack vectors, this strategy involves identifying a target within an organization and then stalking them online. Hackers can gain a surprising amount of valuable information by simply observing the sites a person visits and what they share on social media. Armed with this info, they can craft the perfect personalized attack designed to get them the data, credentials, or money they’re seeking.
If any of these common tactics took you by surprise, it might be time to organize a cybersecurity training course for you and your team.