Blog

You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

How to Fight Back Against Social Engineering Hackers

by | Mar 23, 2022

By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.

In the social sciences arena, social engineering is defined as “the use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society.” In the context of information security it has a darker, more ominous meaning – the use of deception to trick individuals into providing access to personal or confidential information that could be used for fraudulent purposes.

The weakest link in an organization’s battle against social engineering has always been the end-user. Cyber attackers can use a wide variety of tactics to entrap unaware or distracted employees. These include email hacking techniques like Spam and Business Email Compromise; Phishing techniques like spear-phishing, angler phishing, and whaling; and pharming, scareware, access tailgating, baiting, DNS spoofing, pretexting, and more.

The number of attack types used by the bad guys can seem insurmountable, and they’re always adding new twists to existing techniques and coming up with new ones. Recently there has been an uptick in the simplest of exploits – domain impersonation – in which an attacker changes a company domain by one or two letters.

For example, a hacker looking to impersonate a company like “PenChecks.com” might purchase a closely related domain name such as “PenCheck.com.” They would then tie their fake email systems to the new domain. By using a real name and email thread, the attacker hopes the intended victim won’t notice the slight difference in the domain and will follow up on the request coming from their supposed contact, perhaps a customer, partner, or vendor.

Repelling Targeted Attacks

How can you defend against this onslaught of targeted attacks on your user population? Start by making these three strategies standard operating procedure throughout your business.

1. Trust No One, Verify All.

Train all users to follow this strict mantra when dealing with sensitive information or actions concerning any types of money transfers, bank account changes, or routing adjustments in emails. These days, hackers can make incoming emails look like legitimate communications from clients and companies you do business with. Never assume an email is legit.

2. Always Use “Second Factor” Authentication.

Passwords alone are no longer enough to verify someone’s identify. Second factor authorization (2FA) provides a higher level of security by requiring a second identification after the password is entered. This could consist of a personal identification number (PIN), the answer to a question, your fingerprint, and more.

3. Never Rely on a Single Email Communication.

This is especially true when bank changes and other financial transactions are being made. If all else fails, pull up a reliable contact list and call the sender for verification. Do not pull a phone number from any suspicious email chain. Doing so could cost your business thousands or perhaps hundreds of thousands of dollars.

As a user or a customer dealing with other customers, it pays to stay focused when working with company emails and other forms of communication. Just as it isn’t safe to drive a car distracted, it is dangerous to get distracted when dealing with company-related and personal emails. Distracted users can miss the telltale signs demonstrated above, fail to notice email domain misspellings, or click on dangerous links that lead to malware infections. Creating a culture of cyber security in your business, with ongoing education and reminders to keep employees focused, will help keep hackers from gaining access to your sensitive data and/or financial assets.


Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer (CISO) and has more than three decades of experience in the field of information technology as a consultant and in-house manager for many companies. A well-rounded Security specialist, his background includes hands-on experience in technical management, systems architecture, program and project management, network design and deployment and ITIL (Information Technology Infrastructure Library) and SDLC (Software Development Life Cycle) methodologies. Kevin holds an MS in Cybersecurity from Liberty University.


PTCA-2022016

Did you find this content helpful?

Related Insights
Comments

0 Comments

Submit a Comment

Your email address will not be published.

twelve − eleven =

Topics

SSRA and RSSA: The Next Step in GID (Getting It Done)?

I learned a long time ago that laws can be like sausage. They may look great but you don’t want to see them being made.1 That may also help explain how we get some of the unusual, sometimes pithy acronyms used for new legislation.

U.S. Supreme Court Rules On Fiduciary Responsibilities

Are plan fiduciaries protected from excessive fee lawsuits just because they offer participants a menu of investment funds that includes some low-fee investment choices? Or are plan sponsors and other fiduciaries required to do more than that?

PenChecks Named a San Diego Top Workplace

PenChecks Named a San Diego Top Workplace for 2021 in the San Diego Union-Tribune’s (UT San Diego) annual “Top Workplaces” contest. And now, thanks to our awesome employees, all of San Diego will know about it.

Zero Trust: The New Cybersecurity Paradigm

Cybersecurity technologies and methods used to protect a company’s data have significantly evolved over the last two decades. Unfortunately, so have the cyber criminals (hackers) who relentlessly pursue the riches to be made from stealing personal information and other sensitive data.

PenChecks Opens New Call Center to Improve Phone Support

A year ago at this time, most of us were just starting to come to terms with the disruptions at home and in the workplace caused by the COVID-19 pandemic. Halfway through 2021, it looks like we’re finally starting to turn the corner in restoring a sense of normalcy in our lives and our businesses.

Recent Posts

SSRA and RSSA: The Next Step in GID (Getting It Done)?

I learned a long time ago that laws can be like sausage. They may look great but you don’t want to see them being made.1 That may also help explain how we get some of the unusual, sometimes pithy acronyms used for new legislation.

U.S. Supreme Court Rules On Fiduciary Responsibilities

Are plan fiduciaries protected from excessive fee lawsuits just because they offer participants a menu of investment funds that includes some low-fee investment choices? Or are plan sponsors and other fiduciaries required to do more than that?

PenChecks Named a San Diego Top Workplace

PenChecks Named a San Diego Top Workplace for 2021 in the San Diego Union-Tribune’s (UT San Diego) annual “Top Workplaces” contest. And now, thanks to our awesome employees, all of San Diego will know about it.

May 22 – 25 / NIPA NAFE Amplified

New Orleans, LouisianaThis year the NIPA NAFE Amplified Conference will be live and in person! Explore the latest industry trends for business growth and productivity. The PenChecks Team will be there and we look forward to connecting!

Archives

Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.

SUBSCRIBE

Resources
Follow Us
Send this to a friend
Hi,
I saw this on the PenChecks Trust® website and thought you may be interested in this: https://penchecks.com/how-to-fight-back-against-social-engineering-hackers/