Every year, social engineering attacks are employing more advanced techniques. Technology continues its inexorable march forward, and its advancement in areas such as artificial intelligence (AI) and machine learning — deepfake technology, for example — will further exacerbate social engineering risks.
Social engineering can be defined as the psychological strategies scammers use to manipulate humans into clicking on compromised links or divulging sensitive information. Social engineering comes in many forms, including emails, phone calls and texting. These attacks exploit users’ fears, curiosity or helpfulness to trick individuals into sharing data such as login credentials, bank accounts or social security numbers. Commonly, they’ll redirect victims to websites harboring drive-by malware downloads and initiate phishing attacks.
Phishing schemes are often quite sophisticated. In the fall of 2020, guests at the Ritz Hotel in London were “vished” (voice call phishing) by scammers posing as Ritz staff. The scammers convinced guests to divulge credit card information. According to Bitwarden research, emails purporting to be from financial institutions (35%) or a government entity (22%) were the top phishing culprits of 2021.
With the increase in digital and remote work, phishing driven by social engineering has reached the point where staying safe remains a priority for both individuals and enterprises, as phished employees can compromise an organization’s network.
Focus on cybersecurity fundamentals
When it comes to online safety, basic internet security protocols can help prevent phishing. Increased vigilance is warranted — 83% of organizations said they experienced a successful email-based phishing attack in 2021, versus 57% in 2020. That’s an astronomical increase.
To start, check all aspects of the email to confirm it is from the proper institution. This includes looking at the email sender name and the accompanying email address. It’s important to learn the difference between a displayed email address and the real one, since email addresses can be spoofed and misleading. Also, mobile phones do not always show the full sender’s email address, whereas browsers and applications for desktops and laptops often show more information.
Hover over links to confirm they go to the proper website, and, in general, avoid clicking on links since they can be designed to trick users. If you are concerned about the message in the email, it is always better to log directly into the account in question and avoid any information sent to you via a suspicious email.
Do not open attachments from people you don’t know — or unexpected attachments from people you do know without checking first. It is possible that their email accounts may have been compromised in a separate phishing attack.
While these recommendations generally apply to online scams, the principles behind them can also apply to vishing and text-based scams. Be skeptical and ask a lot of questions if something doesn’t feel right. Hang up on the person you find questionable and directly call the organization they claim to be representing. Being asked to divulge sensitive financial information multiple times isn’t normal. Listen to your instincts.
Tools to keep enterprise networks safer
The best practices outlined above set the foundation for protecting enterprise networks from phishing. Going a step beyond the fundamentals can further boost enterprise cybersecurity.
- Use a password manager: Password managers allow users to create and manage login credentials for each website to reduce the impact of potential data breach. If it happens, only a single password is compromised, and users can quickly generate a new one.
- Enable two-factor authentication: Two-factor authentication is a first line of defense against hackers trying to gain credentials.
- Consider privacy-centric browsers and search engines: Research and prioritize those not owned by large technology companies.
- Use encrypted messaging and email: If you are sharing any sensitive information, use an encrypted messaging or email program.
If an employee falls victim to a phishing attack, it is worthwhile to lodge a complaint with the Federal Bureau of Investigation (FBI)'s Internet Crime Complaint Center (IC3). Enterprise organizations can also keep their employees by employing cybersecurity tactics like simulated phishing attacks and instituting cyber education programs.
Social engineering-centric cyber criminals are savvy. With these tips, businesses can be too.