One of the top tips for password creation is to make a complex password with a combination of letters, numbers, and symbols that would be difficult to guess. However, the most secure password doesn't stand a chance if anyone on your team falls prey to something called social engineering. There are several social engineering tactics that fool employees into giving out sensitive company information, including passwords to your business's most important assets.
What is Social Engineering, Exactly?
With this tactic, fraudsters use psychology against their targets to gain access to information or physical spaces. In opposition to hacking, it uses actual interaction rather than technical skill to get access to the desired information. One might simply call it manipulation or trickery. Scammers usually use either a threat or some kind of reward to trick people into giving them what they want.
Types of Social Engineering
The phishing scheme has been around since the beginning of the internet. Phishers send out e-mails that appear to be from a legitimate institution, like your bank or even your employer. They try to appear trustworthy - using the same branding.& graphics as the business they are trying to copy. They use this trust to try to get you to give them information like passwords or essential data. Sometimes, phishing attempts try to get users to click a link or download a file that will then install a virus. However, many times they just try to get the user to tell them the information.
The word phishing sounds just like fishing, because that's basically what it is. Hackers put out thousands of lines and see who bites.
Spear phishing is basically the same as phishing. However, in regular phishing, hackers send out thousands of untargeted e-mails. Even if just a few people bite, they may still get a big payout. With spear phishing, hackers heavily research one targeted victim, usually an executive or someone with a high profile.
Vishing brings together the words "voice" and "phishing." It is a phishing attempt that happens via a phone call. One common example these days is a call from the "IRS" stating that you're in big trouble in the taxes department. Then they ask for your social security number. However, there are many different types of vishing calls one may receive.
Put together "SMS" and "phishing" and you've got smishing. It is a phishing attempt performed via text message. Scammers use similar tactics as they do in e-mail and voice attempts. They may send a link to the victim's phone to receive a prize, or track a fake package. When the user clicks on the link, they may be brought to a page that asks them to put in sensitive information or simply a payment method that will then be charged.
In Person Attempts
Most of these types of attacks are performed online these days. However, they can also be done in person. It may be as simple as someone holding a heavy package asking you to hold the door for them to gain access to a restricted space. Most people have been taught to be nice and hold doors for people holding heavy objects, and these social engineers exploit that quality. In-person social engineers may also try to impersonate someone trustworthy, going as far as getting the right uniform or badge, and doing a lot of research to sound like they are who they say they are.
How to Help Employees Avoid Social Engineering
This all sounds scary, right? Con artists are very skilled at gaining access to information, and there are so many attempts performed daily. Luckily, there are ways to reduce the likelihood of a social engineering attack exposing your passwords and company data.
You can bring a trainer into the office for a day of education. This type of class will teach your teams what to look for to verify that messages, calls, and e-mails are from who they say they are. They will also teach employees what type of information they should never give out. Social engineering training may also give your colleagues an idea of what an in-person attempt might look like.
Online training reaches the same goal as in-person, except employees can do it on their own time. It doesn't take away a whole day from the business, and workers can break it up into smaller chunks to absorb the information in a way that best suits their learning style.
After training, an important component of social engineering training is testing. You can hire a specialist to send out e-mails, messages, or phone calls to employees to see if they have absorbed the lessons. Once the testing is complete, the specialist will go over the results with you and your team, and see where the weak points are, to help avoid the same mistakes in the future when a real attempt occurs.
Why It's Worth It?
This type of hack has led to some expensive mistakes. In 2016, Hillary Clinton's e-mail account famously got exposed through a spear phishing scheme performed on John Podesta, the campaign's chairman. More recently, Twitter had a huge breach in which someone took over several high profile accounts, including those belonging to Elon Musk & Joe Biden, to send messages to get people to send them Bitcoin. It was revealed that this breach happened because access to Twitter's "God mode" was gained through social engineering.
The average cost of a successful phishing attack on a small business is over $50,000. Nearly 1% of all e-mails sent are phishing attempts. As these attempts get more sophisticated, more and more of them break past spam filters, exposing your employees to scammers no matter how secure they make their passwords. Using a secure password manager like Team Password is just one way to reduce risk of a breach. Make sure to also inform your teams about social engineering so your information stays safer.
Are You Protecting your Passwords and your Team?
TeamPassword is here to protect and defend you from these types of cyber attacks. Our simple, secure password manager, designed from the ground up with security and best in-class encryption in mind can protect your company from data breaches and your passwords from hackers. For training and other cybersecurity needs, check out our partner Strontium.io.
Get TeamPassword today! Try our free 14-day trial.