Social engineering attacks can put your company at risk. Although they frequently involve the use of email, there are several varieties that do not require emails. An example is a “misplaced flash drive.” In this type of attack, the hacker will “accidentally” leave a flash drive somewhere, like the parking lot. They will hope that an employee will pick up the drive and put it in a company computer to discover the owner. Instead, doing so will release malware. There are also the now-famous phone calls that claim to be someone from Windows Technical Support who just wants remote access to the computer.
Over the last decade, hackers have increased their skills with email-based social engineering scams, including the following ones that small business owners must keep in mind and protect against.
- Spear Phishing
Spear phishing is when a hacker uses a spoofed or fake email that seems to be from a trusted source but is not. Spear phishing typically looks like it comes from a colleague or close friend, while traditional phishing appears to come from large companies, such as Google.
Whaling has a great deal of overlap with spear phishing, but it specifically targets executives and senior management. This social engineering attack can be via a phone call or email, and the person will pose as someone from within the company, typically in a high position. The goal is to steal the company’s sensitive information, and the best way to prevent it is to educate key staff as well as senior management. IT can also tag external emails, so it is clear that they are not real.
The technique of pharming relies on websites to trick the victims, and hackers take advantage of the method to target a larger number of victims. The websites might have fake information, malicious code that instantly executes and exploits a vulnerability, or fake forms designed to collect sensitive information, such as passwords. It is crucial to note that pharmed websites might load despite you typing in the actual website’s address. Minimize this problem paying attention to security certificates and browser warnings.
Finally, smishing is essentially SMS (or texting) phishing. This social engineering attack relies on a text message to lure in people. The text can include either a URL or phone number. Sometimes, the messages will appear from an actual number. Other times, it will not be the proper format, indicating it came from an email address. Avoid smishing by never responding to unfamiliar texts and definitely never clicking on links within them.
Protecting Against Social Engineering Attacks
Regardless of the type of social engineering attack, the best method of defense is awareness and staying on top of security protocols. Make sure that all employees know not to respond to text messages, emails, or phone calls unless they are positive of the sender. Most importantly, never share sensitive information via any of those methods without confirming the sender is who he or she claims to be.