By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®
Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.
In the social sciences arena, social engineering is defined as “the use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society.” In the context of information security it has a darker, more ominous meaning – the use of deception to trick individuals into providing access to personal or confidential information that could be used for fraudulent purposes.
The weakest link in an organization’s battle against social engineering has always been the end-user. Cyber attackers can use a wide variety of tactics to entrap unaware or distracted employees. These include email hacking techniques like Spam and Business Email Compromise; Phishing techniques like spear-phishing, angler phishing, and whaling; and pharming, scareware, access tailgating, baiting, DNS spoofing, pretexting, and more.
The number of attack types used by the bad guys can seem insurmountable, and they’re always adding new twists to existing techniques and coming up with new ones. Recently there has been an uptick in the simplest of exploits – domain impersonation – in which an attacker changes a company domain by one or two letters.
For example, a hacker looking to impersonate a company like “PenChecks.com” might purchase a closely related domain name such as “PenCheck.com.” They would then tie their fake email systems to the new domain. By using a real name and email thread, the attacker hopes the intended victim won’t notice the slight difference in the domain and will follow up on the request coming from their supposed contact, perhaps a customer, partner, or vendor.
Repelling Targeted Attacks
How can you defend against this onslaught of targeted attacks on your user population? Start by making these three strategies standard operating procedure throughout your business.
1. Trust No One, Verify All.
Train all users to follow this strict mantra when dealing with sensitive information or actions concerning any types of money transfers, bank account changes, or routing adjustments in emails. These days, hackers can make incoming emails look like legitimate communications from clients and companies you do business with. Never assume an email is legit.
2. Always Use “Second Factor” Authentication.
Passwords alone are no longer enough to verify someone’s identify. Second factor authorization (2FA) provides a higher level of security by requiring a second identification after the password is entered. This could consist of a personal identification number (PIN), the answer to a question, your fingerprint, and more.
3. Never Rely on a Single Email Communication.
This is especially true when bank changes and other financial transactions are being made. If all else fails, pull up a reliable contact list and call the sender for verification. Do not pull a phone number from any suspicious email chain. Doing so could cost your business thousands or perhaps hundreds of thousands of dollars.
As a user or a customer dealing with other customers, it pays to stay focused when working with company emails and other forms of communication. Just as it isn’t safe to drive a car distracted, it is dangerous to get distracted when dealing with company-related and personal emails. Distracted users can miss the telltale signs demonstrated above, fail to notice email domain misspellings, or click on dangerous links that lead to malware infections. Creating a culture of cyber security in your business, with ongoing education and reminders to keep employees focused, will help keep hackers from gaining access to your sensitive data and/or financial assets.
Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer (CISO) and has more than three decades of experience in the field of information technology as a consultant and in-house manager for many companies. A well-rounded Security specialist, his background includes hands-on experience in technical management, systems architecture, program and project management, network design and deployment and ITIL (Information Technology Infrastructure Library) and SDLC (Software Development Life Cycle) methodologies. Kevin holds an MS in Cybersecurity from Liberty University.