From opening scam emails to visiting malicious websites, most employees are not properly vetted on the dos and don’ts of cyber security. During 2017, social engineering was found to be the most frequent and successful method of cyber attacks on small-to-medium-size businesses. Social engineering exploits human behavior, bypassing any security software and firewalls that are in place. This does not mean that businesses should stop using such security measures, but rather proper employee training should be added to the plan. Teach your employees these four things about social engineering to dodge the most frequent cyber attacks.
1. Consider the email’s source and topic.
It is all too easy to fall for the tricks of a phishing email by opening an attachment or clicking a link, both of which can introduce malware to your device and give cybercriminals remote access. Before opening an email, ask yourself these questions:
- Is the sender’s email address spelled correctly? If not, that is a giveaway. Delete it.
- If there are attachments, were you expecting a document from this sender?
- Do you usually receive emails from this contact?
- Is there a threat or note of urgency in the subject line?
Don’t take chances with emails. If something seems strange, it probably is strange.
2. Recognize the characteristics of a phishing email.
If you decide the email’s source and topic do not appear threatening, there are still characteristics you will want to look for within the body. Should red flags arise, do not click any links nor open attachments.
- Is there a tone of urgency?
- Does it contain poor grammar or misspellings?
- If there are links to the company’s website on the page, do they match the sender’s email? Employees are usually given emails with the title of the company.
3. Check URL spelling before you search.
Unfortunately, the punishment does not fit the crime when you spell a domain name wrong and find yourself on an insecure website. Typing [dot]cm instead of [dot]com may land you on a “typosquatting” domain, which was set up for the purpose of catching people who make this mistake. If you have the proper protection in place, you may get off with malware alerts and sweepstake pop-ups. It should go without saying, do not engage these pop-ups. To minimize risk, save websites you frequent to your dashboard.
4. Identify pretexting.
Pretexting, which can be done through email, over the phone and even in person, involves the impersonation of anyone that may inspire action. These attacks require less technical skill and more research on the part of the criminal. An attack of this nature targeted at a small business could look like an unexpected invoice from a supplier or service company, claiming they didn’t receive a payment. This should be especially suspicious if they are providing a new way to pay. In this case, contact the requesting company directly rather than engaging with the request.
No amount of anti-virus software can keep your company safe if you or your employees are not aware of common social engineering methods. Some security companies offer social engineering assessments, which include a test to see how informed employees are and a plan to help improve security. Consider making cyber security training a part of your employee development plan. Encourage your employees to learn the signs of social engineering and your company will be much safer!
John Ciarlone is a committed husband, father and fan of anything Star Wars. He is also the V.P. of Sales and Marketing for Hummingbird Networks, a woman-owned tech company that helps businesses build secure and scalable networks. As a bonus security tip, he recommends not sharing passwords through email. It’s just better that way.