Gone Phishing: Social Engineering and Cybersecurity
Updated: Jul 14
If there’s one thing cybercriminals excel in, it’s the art of manipulation.
Every day, hackers exploit human elements to obtain sensitive data from businesses across the world. This is known as social engineering.
Even the most secure organizations can fall victim to social engineering, and as remote work continues to increase, so do opportunities for hackers to exploit potential vulnerabilities. Because of this, it is imperative for companies and individuals alike to understand the ramifications of social engineering, as well as how to prevent it from occurring.
Here are a few common types of social engineering attacks, and how not to let them get the better of you.
Phishing is perhaps the most well-known type of social engineering. These attacks come by way of phone calls from a third party attempting to steal information - or money. Messages are often well-crafted and claim to come from a reputable source. Fortunately, many cell phone carriers now flag incoming calls for “Spam Risks”, but it’s still important for consumers to take calls from unknown numbers with a grain of salt, especially if they’re asking for money or sensitive information, like your social security number. Many agencies that hackers impersonate, like the IRS, don’t actually conduct business over the phone.
Like phishing attempts, vishing is a social engineering tactic conducted by malignant third parties seeking information or money. However, rather than phone calls, these occur via voicemail. If you’ve ever received a voicemail - or several - claiming your car warranty is about to expire when it clearly hasn’t, this is a prime example of vishing. If you ever receive a suspicious voicemail, take it up with the entity they claim to be from directly, like your bank or auto dealership, rather than respond to the unknown caller.
Smishing can be considered Phishing and Vishing’s close cousin. The intentions are the same, but the delivery is a little different. Smishing attacks occur via SMS, or text messages. A common smishing scheme is a third party pretending to be a bank letting you know your card has been locked. Fortunately, they’re simple enough to screen - just make sure you verify the numbers and contacts that are sending you messages to ensure they’re coming from an authentic, trusted source.
Whaling, sometimes referred to as “spearfishing”, is among the most clever social engineering practices because they take advantage of inter-organizational relationships.
Whaling attacks are specifically designed to impersonate executives, or “whales” at your organization, knowing a target is more likely to trust an email or text message from their manager or member of leadership. An infamous example of whaling is an employee receiving a text message from their “CEO” asking them to immediately purchase gift cards and send the PIN numbers via text message. Another common example of whaling are emails sent from the “CEO” or company’s HR department asking for an important meeting with a link to an invitation. These malicious links often are enough to grant the hacker access to the company’s systems, so it’s important for employees to always verify the sender.
How can I better protect my organization?
The best way to protect your organization (and yourself!) is to understand your current risk level and identify any potential threats. For organizations, we recommend an annual Penetration Test, which is simply a secure simulation of a real-world hack. If security remediation is needed, we will provide next steps. To learn more about why every organization could benefit from a penetration test, click here.
Want to learn more about social engineering and how it could affect your business, or what a custom RISCPoint Penetration Test could look like for you? Get in touch with a member of our team below.