Thursday, March 12, 2020

Protect Yourself from a New Cyber Threat: Social Engineering Attacks

By: Edward L. Blais, JD, CIC
President, Blais Insurance

 
In today’s world, some of the most serious security threats that businesses face come in the form of cyber attacks. We tend to imagine cyber attacks as hacks into our software systems. But cyber attacks can also involve ‘hacking’ human psychology and these can be just as deadly as the first kind. 

Known as “social engineering attacks,” these exploit vulnerabilities among the employees working in an organization. For example, someone might send you an email that looks as if it appears from PayPal. The emails says there has been unusual activity on your account and it asks you for your login credentials. It looks like the real deal, but it turns out it’s just a scam to steal your information—and, potentially, your money. (This kind of a social engineering attack is known as a fishing scam.) 

Here are five types of social engineering attacks you need to look out for. 

1. Phishing scams. In these attacks, cyber criminals steal usernames, passwords, and other important information by posing as someone else you trust, like your bank, your email provider, a bill collector, or another organization you would trust. Most phishing emails are sent to multiple people. But one type of phishing scam, known as spear phishing, is targeted to individuals. According to ABA Insurance Services, this scam uses information from a recent transaction, business trip, or other personal information to trick you into providing more information.  

2. Pretexting. Another social engineering attack uses a fake scenario to steal valuable information. For example, the hacker might claim to be an auditor, soliciting confidential information, according to Tripwire. “Whereas phishing attacks mainly use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim,” Tripwire says. 

3. Baiting. This is a cyber attack that aims to exploit people’s curiosity, according to Infosec. One such attack occurred in 2018 when state and local government agencies received a Chinese postmarked letter with a CD inside it. The attackers hoped some recipients would be curious enough to install the CDs in their computers, infecting them with malware, according to Tripwire. 

4. Smishing. The idea is the same as phishing, but, instead of using emails, it relies on SMS, or text messages. Smishing texts often contain links to websites, email address, or attachments. Clicking on the link could cause malicious malware to be downloaded onto your phone or other device.