Cyber criminals are now using sophisticated social engineering techniques to target employees and trick them into handing over funds and divulging sensitive corporate data.
The attacks start with in-depth electronic surveillance of a company and its employees. Cyber criminals gather information from publically-available resources such as social media, corporate blogs and company websites, as well as through more devious techniques such as spymail. They then use the collected information to create targeted outreach to employees in the form of emails or even phone calls in an attempt to steal funds, disable corporate networks, steal sensitive data and hold companies hostage. The industries that are most at-risk include legal, healthcare and government because of the sensitive information they possess that can be used for identity theft, insider trading, blackmail, etc.
Luckily there are a number of steps organizations can take to protect themselves and their employees from this increasingly popular and successful form of threat. Here are my top recommendations on how to prevent social engineering attacks:
Draw awareness to socially and publicly shared information.
Attackers initially gather insight into both companies and employees from what’s readily available online. From social media sites like Twitter, Facebook and LinkedIn, to corporate websites and blogs, to spymail (more on that below), an amazing amount of information about our companies and employees can be discovered without any technologically advanced “hacking” techniques. It’s important to make employees aware of this issue so they both (1) are cautious about what and how they communicate and (2) so they do not give undue credibility to information that seems private but in fact is readily available to anyone who wants it.
Create smart data security policies.
As we’ve seen from the recently revealed Dropbox hack that stemmed from an employee’s poor password management, passwords are key to protecting your company. Two-factor authentication should be used for all sensitive documents including webmail, bank portals, medical websites and HR portals. If the services you currently use don’t offer two factor authentication, then you should consider taking your business elsewhere.
Also, access to sensitive data should be provided on a need-to-know basis. For example, payroll data should only be accessible by certain individuals, not the whole accounting department.
Use secure fund transfer tools.
Last year hackers posing as employees convinced Ubiquiti Networks into sending $47M to overseas accounts. This is becoming a common occurrence as more and more companies are being tricked into sending company funds to accounts controlled by attackers. In order to combat this, you should have well-defined funds transfer procedures such as requiring all funds requests to be via a secure banking portal and not email.
Put the right tools in place to eliminate spymail.
Spymail is email with hidden tracking code that feeds its sender information about who opens it, when and how many times it is opened, whether and where it is forwarded, and even the physical locations from which it is opened. This gives the sender even more insight into your company’s operations and exposes you to risk. Use of spymail is up over 284 percent since 2013.