Blog

You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

How to Fight Back Against Social Engineering Hackers

by | Mar 23, 2022

By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.

In the social sciences arena, social engineering is defined as “the use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society.” In the context of information security it has a darker, more ominous meaning – the use of deception to trick individuals into providing access to personal or confidential information that could be used for fraudulent purposes.

The weakest link in an organization’s battle against social engineering has always been the end-user. Cyber attackers can use a wide variety of tactics to entrap unaware or distracted employees. These include email hacking techniques like Spam and Business Email Compromise; Phishing techniques like spear-phishing, angler phishing, and whaling; and pharming, scareware, access tailgating, baiting, DNS spoofing, pretexting, and more.

The number of attack types used by the bad guys can seem insurmountable, and they’re always adding new twists to existing techniques and coming up with new ones. Recently there has been an uptick in the simplest of exploits – domain impersonation – in which an attacker changes a company domain by one or two letters.

For example, a hacker looking to impersonate a company like “PenChecks.com” might purchase a closely related domain name such as “PenCheck.com.” They would then tie their fake email systems to the new domain. By using a real name and email thread, the attacker hopes the intended victim won’t notice the slight difference in the domain and will follow up on the request coming from their supposed contact, perhaps a customer, partner, or vendor.

Repelling Targeted Attacks

How can you defend against this onslaught of targeted attacks on your user population? Start by making these three strategies standard operating procedure throughout your business.

1. Trust No One, Verify All.

Train all users to follow this strict mantra when dealing with sensitive information or actions concerning any types of money transfers, bank account changes, or routing adjustments in emails. These days, hackers can make incoming emails look like legitimate communications from clients and companies you do business with. Never assume an email is legit.

2. Always Use “Second Factor” Authentication.

Passwords alone are no longer enough to verify someone’s identify. Second factor authorization (2FA) provides a higher level of security by requiring a second identification after the password is entered. This could consist of a personal identification number (PIN), the answer to a question, your fingerprint, and more.

3. Never Rely on a Single Email Communication.

This is especially true when bank changes and other financial transactions are being made. If all else fails, pull up a reliable contact list and call the sender for verification. Do not pull a phone number from any suspicious email chain. Doing so could cost your business thousands or perhaps hundreds of thousands of dollars.

As a user or a customer dealing with other customers, it pays to stay focused when working with company emails and other forms of communication. Just as it isn’t safe to drive a car distracted, it is dangerous to get distracted when dealing with company-related and personal emails. Distracted users can miss the telltale signs demonstrated above, fail to notice email domain misspellings, or click on dangerous links that lead to malware infections. Creating a culture of cyber security in your business, with ongoing education and reminders to keep employees focused, will help keep hackers from gaining access to your sensitive data and/or financial assets.


Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer (CISO) and has more than three decades of experience in the field of information technology as a consultant and in-house manager for many companies. A well-rounded Security specialist, his background includes hands-on experience in technical management, systems architecture, program and project management, network design and deployment and ITIL (Information Technology Infrastructure Library) and SDLC (Software Development Life Cycle) methodologies. Kevin holds an MS in Cybersecurity from Liberty University.


PTCA-2022016

Did you find this content helpful?

Related Insights
Comments

0 Comments

Submit a Comment

Your email address will not be published.

13 − four =

Topics

Why You Need Cyber Security Insurance and How to Get It

In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA.

SSRA and RSSA: The Next Step in GID (Getting It Done)?

I learned a long time ago that laws can be like sausage. They may look great but you don’t want to see them being made.1 That may also help explain how we get some of the unusual, sometimes pithy acronyms used for new legislation.

U.S. Supreme Court Rules On Fiduciary Responsibilities

Are plan fiduciaries protected from excessive fee lawsuits just because they offer participants a menu of investment funds that includes some low-fee investment choices? Or are plan sponsors and other fiduciaries required to do more than that?

PenChecks Named a San Diego Top Workplace

PenChecks Named a San Diego Top Workplace for 2021 in the San Diego Union-Tribune’s (UT San Diego) annual “Top Workplaces” contest. And now, thanks to our awesome employees, all of San Diego will know about it.

Recent Posts

September 26 – 28 / The NCEO Fall ESOP Forum

Hilton Ballpark St. Louis / Saint Louis, MOPenChecks is proud to sponsor this year’s NCEO Fall ESOP Forum. Come by and meet our team, connect, and take advantage of unlimited opportunities to hear from the members of the employee ownership community!

October 23 – 26 / ASPPA Annual 2022

Gaylord National Resort & Convention Center / National Harbor, MDLevel Up at ASPPA Annual 2022 and come meet the PenChecks Team, booth #205! PenChecks is proud to sponsor this year’s event.

November 2 – 4 / Randug 2022

Sandpearl Resort / Clearwater Beach, FLWe will be in beautiful Clearwater Beach and look forward to connecting. PenChecks is proud to sponsor this year’s event. See you there!

November 6 – 8 / The Spark Forum

The Breakers / Palm Beach, FLJoin the PenChecks Team in Palm Beach for the 2022 Spark Forum and connect with your fellow executives in the Retirement Industry!

Archives

Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.

SUBSCRIBE

Resources
Follow Us
Send this to a friend
Hi,
I saw this on the PenChecks Trust® website and thought you may be interested in this: https://penchecks.com/how-to-fight-back-against-social-engineering-hackers/