By now, we’re all familiar with the type of hacker who uses their technical skills to infiltrate computer systems and compromise sensitive data. It’s seen in news headlines across the globe today. However, there’s now another type of hacker who uses special tactics to exploit the one weakness that every organization has: human psychology.
This is more commonly known as social engineering, which is the art of manipulating people so they give up confidential information. Not only are social engineering attacks becoming more common against small- and medium-sized businesses (SMBs), they’re also becoming more sophisticated. This makes things very tough for the MSPs that aim to serve and protect those SMB clients. So, in order to stay a few steps ahead of cybercriminals, here’s what you should know about social engineering attacks and how MSPs can help prevent clients from falling victim to them.
What Does Social Engineering Look Like Today?
As businesses start to adopt more effective strategies to preventing viruses and malware, attackers are shifting their approach to trick victims through more sophisticated techniques like social engineering. The most dangerous aspect of this is how attackers manipulate victims with offers or threats, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data.
Typically, social engineering involves email or other communication that invokes urgency, fear or similar emotions in the victim that leads them to take prompt action. It could be an email that looks like it’s coming from a credible organization, such as your mail service or bank. But if you open it and click on that attachment, you could be installing malware or ransomware! Or, it could be disguised to seem like it’s coming from someone inside your company, such as an IT department or a CEO, but if you respond to that email with your user name and password, your computer is easily compromised.
Because social engineering involves a human element, preventing these attacks can be very tricky for businesses today. As their MSP, what should you be on the lookout for? Here are a few common forms of social engineering attacks to be weary of:
Phishing and spear phishing
About 91 percent of data breaches come from phishing, which is why it’s become one of the most exploited forms of social engineering. A phishing email is carefully crafted to look as though it’s coming from a trusted source, but attackers are actually behind the scenes trying to trick victims into downloading an attachment, clicking on a malicious link or providing sensitive information. General phishing emails can be sent to an entire organization, whereas spear phishing emails are crafted specifically for a few people in an organization that could have valuable information for an attacker. These types of attacks will usually vary with current events, disasters or tax season.
Speaking of which, authorities have already warned us about a massive wave of W-2 tax form phishing scams. How do these scams work exactly? Cyber criminals are sending emails that look like they come from the CEO, or another C-level executive, and ask for a PDF with the W-2 tax information of all employees. The W-2's have all the information needed to file fraudulent tax returns and steal anyone's identity, which goes to show that attackers will stop at nothing to steal sensitive information.
Vishing (voice phishing)
Vishing is essentially the same as phishing, just over the phone. After finding a bit of information about a victim (such as a name or date of birth), a criminal will call them – oftentimes disguised as tech or customer support – to trick them into divulging more information, login credentials or even a social security number. This type of attack can also be used to target organizations. Attackers will often hide behind a specific area code or caller ID in order to trick the person on the other end to give up company information including hours of operations, financial or employee information, and even password resets.
Just as the term suggests, baiting attacks involve offering victims something they are searching for or want. These types of attacks often appear on peer-to-peer sharing sites where you can download and stream music, or those Oscar-winning movies you’ve been meaning to see. The risk is that you might actually be downloading malware instead of the files you were hoping for. Baiting can also include too-good-to-be-true online deals or fake emails offering free coupons.
How Can Social Engineering Attacks Be Prevented?
The most important thing you can do as an MSP is provide your clients with cybersecurity education and awareness. This is essential, specifically when it comes to social engineering because attacks can be stopped by the target themselves. They need to know what to look out for when receiving email, phone calls or clicking on links, and you can be their primary resource. When you teach employees how to protect their company’s confidential data, you allow them to become more vigilant and a much-needed security layer.
Monitor and secure devices
With an increasingly mobile workforce and threats coming through both personal and professional devices, businesses need multi-layered endpoint security now more than ever. Today, security needs to be built from the endpoint outwards, and that all starts with a reliable remote monitoring and management (RMM) solution. By offering an RMM solution that’s coupled with antivirus software, MSPs can be more proactive in preventing social engineering and other cyber attacks from occurring. Additionally, when RMM is combined with a network infrastructure tool, it allows for a more complete view of your clients systems, so you can monitor the health of their IT infrastructure and mitigate any risks that arise.
The best way to combat social engineering attempts is to never let them infect you to begin with. Now, this might be easier said than done, but having reliable RMM and endpoint security (combined with the education piece I mentioned earlier) are essential in making this possible.
As an MSP, you know too well that human error is a way of the industry. No matter how much security training or services you provide, people will still fall for scams or click on links they shouldn’t click on. Because of this, it’s vital for businesses to have a backup and disaster recovery (BDR) solution in place. In case files become encrypted or devices become compromised, having BDR will ensure that your clients have reliable and recent backups and that their essential data can be restored to an undamaged state with as little downtime or data loss as possible.
By Gretchen Hoffman