Many businesses are well aware of the threat of phishing emails and some even train their employees on how to spot them, but there’s another kind of scam to watch out for – social engineering scams. These are dicier than phishing scams because they target specific users and departments with communications that seem to have come from a job applicant, supplier or senior figure.
What do they want?
The aim of cybercriminals who carry out social engineering attacks is to trick the user into installing malware or sharing their login credentials. According to Imperva researchers, business data is the most highly sought after for attackers. They discovered this after setting up honeypots to attract such scams.
Cybercriminals can get into your company’s systems to put you out of business, destroy your reputation, or empty your company account. The Federation of Small Businesses through a study, learned that 66% of its members had been attacked by cybercriminals in the last 2 years and most of these attacks were social engineering attacks. In one year, small businesses lose about £5.26bn to these kinds of scams.
Why should businesses care?
Any business with sensitive information (and that includes about every business) stands to lose their data to a malicious party in the event of a data breach. In fact, businesses that manage a lot of sensitive data are particularly careful since they know the security risks associated with cyberattacks of all kinds.
Your IT department may be well aware of these problems, but anyone within an organisation can fall hook, line and sinker for a social engineering attack because they are designed to be convincing. Don’t be surprised that majority of your staff may be fooled by a social engineering scam that seemingly comes from the HR department.
Many businesses don’t see the threat
According to a study by Callcredit Information Group, only 22% of businesses are of the opinion that social engineering attacks will be a major problem over the next 2 to 3 years. Ironically, many of these businesses are aware that they are more likely to be defrauded as a result of a social engineering scam than a technology-based attack. However, only a fraction of them has some sort of system in place for dealing with such exploitation of their employees by cyber criminals.
How can you avoid a social engineering attack?
Avoiding a social engineering attack relies on what your employees know, therefore, it’s important to take the time to train them. They should know that:
- Callers should always be verified.
- All communications should be verified via authentic channels.
- Links and attachments should not be clicked on or downloaded if the source is not certain.
- Computer screens should be locked and confidential information should not be left lying around in case there are ‘visitors’ with malicious intent.
Social engineering attacks are expected to become more common in the near future, but you can protect your business by doing your due diligence.