How To Prevent Social Engineering Attacks In Your Workplace
Any workplace that houses confidential and important company or client information is at risk of social engineering attacks that threaten the security of anyone involved with the targeted company. While external threats such as these are common in this overwhelmingly digital age for businesses, they tend to be overlooked as legitimate or dangerous because of how subtle they tend to be in the process. It is important to understand that these attacks are not targeting weaknesses in computer systems in order to gain access to information, but rather in the flaws of employees who work on them and have all the necessary information that can leave themselves and a company vulnerable if they aren’t cautious. Once you are given access to a building, documents, or databases in virtual data rooms then it is your duty to be proactive with your methods of maintaining their security.
Most Common Social Engineering Attack Techniques And How To Thwart Them
Phishing: This is probably the most common type of social engineering attack because of it’s simplicity and the triggering methods these scammers use to influence unsuspecting individuals to hand over their personal information. Most of the time this involves an urgent email that incorporates scare tactics in order to get the recipient to click on an embedded link that redirects to a suspicious website. It takes only seconds to click on a link after you are made to feel like you are in trouble by a government party or your Apple account has been accessed by an unknowingly and this is how phishing scams are perpetuated amongst individuals and companies.
- Don’t click on suspicious website links in an email sent to you by an unknown party. Be sure to know exactly the website it is directing you to, whether it is a legitimate source, and try looking it up on your own to see if it is valid or not.
- Don’t fall for the fear mongering in these emails. They are created to incite a visceral reaction in the recipient by claiming they are from high profile parties.
- Beware of spelling and grammar mistakes that these phishing emails tend to be littered with. A professional company or government institution would be sending you a more polished email to warn you of any issues your accounts may have.
Quid Pro Quo: This scam offers an unsuspecting victim a service in return for confidential information. They aren’t restricted to online and can be acted upon in person through door-to-door sales men or people pretending to be IT workers attempting to gain access to a building. They may claim they you are entitled to free installation of new anti-malware software and all you have to do is enter your information into a website or hand it over to a technician who claims to have been hired by your company.
- Don’t take anyone claiming to need access to your information at face value unless confirmed by your manager in advance.
- Don’t hand out any information in the hopes of getting a service for free.
- Your passwords are vital in ensuring company security, so don’t be willing to give them away in exchange for items and services that you can purchase or perform yourself.
- Store confidential company data in a secure virtual data room that is impenetrable to unwanted third parties.
Baiting: Anyone can fall for this scamming technique, whether online or in person. Who doesn’t want free items or access to an online repository of movies and music for just your login credentials? These scams are easy to fall for because they trigger a sense of reward or accomplishment, much like a standard transaction, but essentially for free. They also use an individual’s curiosity to get the better of them by making these rewards enticing enough to click on through links on suspicious websites.
- Look out for enticing offers that may be too good to be true. More than not, they usually are.
- Don’t give out your information or credentials in return for either physical or digital rewards.
- If a website is asking for this information it means that it is valuable, so you should strive to keep it confidential at all times.
Piggybacking: This might be the most sinister of all the main social engineering attacks because it can happen right under your nose and with your help without you even knowing it. Piggybacking refers to the act of an attacker using an employee’s presence to gain access to a building either by waiting for one to enter and following them in to avoid scanning an access card or by starting a conversation in order to create a rapport that won’t be questioned by the employee or any security guards. Piggybacking can leave a company and its confidential data as vulnerable as with any other attack, especially mid-size companies with slacker security and building access requirements.
- Don’t hold building doors open for employees that you don’t know. Be sure to recognize whoever it is you are allowing into the building or ensuring that the security team gets a good look at them as well.
- Don’t leave documents unattended in printing areas where someone walking through the office can gain access to them; instead opt to store everything in a VDR.
- Delivery workers might seem innocent, however, their uniforms could just be a well-crafted façade in order to gain access to a building by requesting that an employee hold a door open for them. If you notice any suspicious activity by an individual claiming to be from another company, wanting to gain access to the building, notify your security team immediately.
Pretexting: This one might be the most creative of the bunch, relying on the art of crafting an intricate and convincing backstory to incite users to hand over their confidential information rather than scare tactics. In pretexting the scammers have to create a sense of trust between them and those they are scamming, trying to make it seem as authentic as possible so as to not rouse any suspicion. The scammer can convince an individual that they need bits of information to confirm their identity as a means of validating their accounts or company security clearance. They can even go as far as impersonating IT individuals so that they can have direct access to a company building.
- Don’t give out your information to an unknown caller or through an email correspondence that you are unsure of, even if the information seems inconsequential.
- Don’t fall for manipulation or a call to action that a scammer may be requesting of you. Only your managers should have authority over any security information you possess and any IT specialists will be cleared by the company before they request access to your confidential information.
- Don’t fall for fake, crafted stories that create a sense of trust between you and the scammer. You should always be made aware of anyone that needs access to your company computer beforehand instead of being convinced so last minute by an unknown individual.