‘Social engineering’ attacks are, like any cybersecurity risk, a threat to your SME. Malware, viruses, trojans, and all sorts of malicious code can enter your system, gather information, erase data, steal money or hold your network to ransom.
It might be terrifying to learn that these things are out there. You might have known about them for some time. Either way, protecting your business against these ‘social engineering’ attacks is essential.
This blog post will explain what ‘social engineering’ attacks are and why they’re a problem. Of course, we’ll also tell you how to deal with the threat.
What are ‘social engineering’ attacks?
‘Social engineering’ attacks are an umbrella term for cybersecurity risks posed by tricking a system user. A simple example might be a scammer sending an employee an email, posing as their bank. When they click the link, a virus might be downloaded and installedon their PC, or trick them into entering their bank details on a fake webpage. This would be a typical phishing example.
In other words, ‘social engineering’ attacks aren’t just criminals forcing their way through firewalls or tapping into data streams. While users being tricked is the common denominator, it can be challenging for staff to distinguish between friend and foe.
The four most common types of digital ‘social engineering’ attacks are:
- Phishing – clicking links, such as those found in the above example.
- Baiting – offers a reward to the user but installs malware in the process. For instance, ‘want a free iPhone? Log in to XXX.com now!’.
- Quid pro quo – these attacks ask you to confirm some information. A typical example might be a criminal posing as your bank. They might ask you to verify your bank account details ‘to secure your account’.
- Pretexting – creating a fabricated emergency situation to hurry a user to break protocol. For example, pretending to be HMRC looking for your overdue taxes.
Another typical ‘social engineering’ attack is known as tailgating. This usually applies in physical security scenarios. A criminal might walk directly behind a member of staff. After inputting their details or swiping an access card, the crook follows them through the doors. In that way, they gain access to highly secure environments. Phone calls can also be used in this way, especially calls combined with a website.
What to do if you encounter a ‘social engineering’ attack
With ‘social engineering’ attacks – as with many things – prevention is the best cure. Don’t let the malware into your system, and there won’t be any problem. The best place to start is with staff training. Get all your employees up to speed and aware of the risks. Since ‘social engineering’ attacks target them (and you) specifically – rather than your ICT security precautions – this is the best way to look after your business.
During training, you and your staff should learn about things like passwords and two-factor authentication. Opening untrusted emails should always be avoided, and requests from strangers always ignored. It pays to encourage your staff to be suspicious and ignore emails they don’t expect. Ask telephone staff to validate that they are who they say they are or tell them you will phone them back and put the phone down.
Most antivirus systems are pretty good at locating and isolating threats found in emails. None are 100% effective, though. If a criminal has designed their scam well enough, one might slip through. In short, don’t rely on your antivirus to do everything for you.
‘ Social engineering’ attack simulation in Microsoft 365
With Microsoft 365 E5 (or Office 365 Plan 2), you can use Microsoft Defender to launch a ‘social engineering’ attack simulator. These are brilliant for shoring up your defences and plugging the holes, as it were. Most importantly, it shows your employees what to watch out for and what steps they should take afterwards. Use the attack simulator to test your policies and, if necessary, update them.
Only admins can launch ‘social engineering’ attack simulations. Discuss it with your business to see how you should best implement it.
Get AMDH to help
Do ‘social engineering’ attacks sound a bit too overwhelming? We absolutely understand. Here at AMDH, our experienced consultants have decades of ICT experience. We’ll help you tighten up your system security and train your staff. All being well, ‘social engineering’ attacks will in the future be a thing of the past.
Unfortunately, it’s always possible for one to slip through the safety net. Have a chat with us before this happens, so you know how to react to the situation.
Use the contact form at the base of the page to get in touch with us. We can’t wait to help your SME shore up its defences.
