Hackers understand that employees are often the weakest link in an organization’s security. That’s why 98% of cyber attacks rely on some type of social engineering, costing companies $billions every year.

Vishing. Baiting. Pretexting. Are you familiar with these new Cyber criminal techniques that can leverage ANY connected employee to breach your security?

As an increasing number of employees are forced to work remotely during the COVID-19 crisis, IT networks have become even more vulnerable to cyber-attack, especially when users connect over unsecure Wi-Fi and/or Home Networks with their personal devices.

In addition to raising awareness about new security threats for your employees, we’ve included 8 tips to help teleworkers (and any connected employees) improve security. You’ll also see recommendations on how ongoing Cyber Security Awareness Training is crucial to a strong defense.

While users are regularly encouraged to keep their anti-virus definitions and software up-to-date, 6% percent of users NEVER receive any type of security awareness training, while another 33% receive only once per year or when they join the company.

Every employee should also become familiar with the latest phishing and ransomware strategies to prevent becoming that weak link.

The Basics of Social Engineering

From an IT Security perspective, the term “social engineering” refers to cybercriminals using any number of psychological tricks to get users to perform actions (click on an email or link) or divulge personal or confidential information.

While technical hackers seek vulnerabilities in the networks or software, social engineering cybercriminals exploit an end user’s tendency to trust.

The most common types include:


Phishing (or Spear Fishing)

Phishing is the most common type of social engineering attack. Hackers pose as a trusted source (a friend, boss, colleague, bank official, government agency, etc.) and concoct a seemingly logical scenario for handing over login credentials or other sensitive personal data.

The cybercriminal may obtain your email address from a compromised email account or web directory and then go “Phishing,” sending general emails to everyone, or go “spear fishing,” personalizing an email for just you. The email will contain:

A link that you just have to click on, taking you to a website that asks for your personal information and/or automatically downloads malware
An attachment of pictures, music, movie, document, etc., that has malicious software embedded.

Vishing

Another type of phishing, using voice instead of text. The cybercriminal recreates an IVR (Interactive Voice Response) system of a trusted company, attaches it to a toll-free number and tricks you into responding to the cell phone prompts with your personal information.


Pretexting

Pretexting is a social engineering technique of presenting oneself as someone else in a fictional situation in order to obtain private information.

This may be another phishing exploit, or use baiting techniques, but it’s all about developing a believable story, which may include:

Urgent request for help. Your ’friend’ is stuck in another country and needs money to get home or to pay a fine. Or the CEO sends an email titled “URGENT!!!!!,” with a message containing spelling mistakes.
Ask you to donate to a fundraiser, or some other cause. Disaster relief, political campaign, or charity needs money and/or your personal information to keep you informed.
Notify you that you’re a ‘winner.’ This phishing attack claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to receive your “prize” you will need to provide your bank routing number along with other details to steal your identity.
Pose as tech support or other professional. Also considered a “Quid Pro Quo” attack, the cyber-criminal is responding to an issue, and requests information, and/or a download of a scanner (malicious software) to scan your system. The criminal may be quite helpful and provide productivity tips while stealing your identity.

One form of pretexting, called Business E-Mail Compromise (BEC) uses a variety of tactics to con the company into wiring funds. The cybercriminal group likely gains access through spear-phishing and/or malware, and then spends weeks or months discovering the organization’s billing process, vendor payments, and the CEO’s email style and travel schedule.

Then when the CEO is out of office, the scammers send a targeted email posing as the CEO to the finance officer (bookkeeper, accountant, controller, or CFO ) requesting an immediate wire transfer. The vendor will sound familiar though the account numbers will be slightly different.

If undetected, the initial and subsequent requests will cost the company thousands if not hundreds of thousands of dollars.


Baiting

This type of social engineering scheme dangles malicious devices inside a seemingly harmless carrier, hoping someone will “take the bait.”

These schemes are often found on Peer-to-Peer sites offering a recent movie, or music to download, but they’re also found on social networking sites, job posting sites, online auctions and e-commerce sites.

Other types of social engineering may include creating distrust, or starting conflicts by altering private or corporate communications

There are literally thousands of variations to social engineering attacks, limited only by the criminal’s imagination.

I’ve found that using the term “Zero Trust” can feel wrong in organizations that encourages trust and teamwork. The reality is that the Cyber Criminal element that exists outside of our organizations is trying to do everything they can to LOOK LIKE and ACT LIKE they are part of our organization. Personally, I tell each employee to use a second secure channel (known phone, text, or secure messaging) to confirm anything related to security or finance that comes from me electronically (which could be email, text, or other means).

– Alan McDonald, CEO AllConnected

8 Tips for Adopting Zero Trust:

In IT-speak, “hardening” is the process of securing a system by reducing its surface of vulnerability. Protection is provided in layers and each level requires a unique method of security.

For your organization, AllConnected recommends Cisco Umbrella as your personal firewall, blocking all known phishing and ransomware coming in, and DNS checking to block malicious software and links going out.

To authenticate with that network, we recommend Cisco Duo Multi-Factor Authentication (MFA) application provides effective personal security.

Cisco Advanced Malware Protection (AMP) provides global threat intelligence, advanced sandboxing, and real-time malware scanning and blocking to prevent breaches.

Then for your personal social engineering, we recommend a “zero trust” policy. Don’t assume any email or link inside or outside your organization is okay. Verify everything.

1. Slow down. Be suspicious of any unsolicited messages, especially ones with strong CTA (calls to action). Cybercriminals want you to act first and think later. Don’t rush when you receive a message that seems urgency or uses high-pressure sales tactics.

2. Verify the sender. Is the sender someone you know? Does the email address match the name? Does the domain and suffix (.com, .net, .org) match the company?

3. Distrust attachments. Call email senders to verify if they sent you something with an attachment before opening.

4. Find your own links. Instead of automatically clicking on the links in the email, use your search engine to find the website, especially if the email comes from financial institutions (banks, Paypal, Venmo, etc.)

5. Beware of any download. If you don’t know the sender personally AND expect a file from them, don’t downloading anything

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone, don’t rely on e-mail alone.

– FBI Special Agent Martin Licciardo

6. Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.

7. Reject unsolicited requests for help, foreign offers or offers of help. Legitimate companies and organizations do not contact you to provide help. Offers to ’help’ restore credit scores, refinance a home, answer your question, etc., are scams. Similarly, requests from charities you don’t have a relationship with are scams.

8. Two-Factor your Fund Transfers. To prevent Business E-Mail Compromise (BEC) schemes, establish a voice-to-voice confirmation policy for all fund transfer requests. Use a previously designated phone number, not the number provided in the email request. Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.

Hardening Your OS

Consider desktop Virtualization. Allconnected recommends windows Remote Desktop Services (RDS) or Citrix to protect your applications.
Backup your files, frequently and automatically!
Disable unneeded services. (CryptoLocker often targeted machines using Remote Desktop Protocol. If you don’t use RDP, disable it)
Keep Anti-Virus up-to-date. And run scans periodically.
Maintain Supported Apps Only. Get rid of “abandonware” and replace it with software still being supported by the manufacturer.
Apply the latest updates to your OS and apps. Set your operating system to automatically update. Software providers send frequently updates to patch vulnerabilities in their software, which also lets cybercriminals know which vulnerabilities to exploit. Don’t be the one left unprotected.
Set your spam filters to high. Every email program has spam filters. Set yours high and use it as a line of defense. You can always “restore” or white list legitimate emails after you have verified their source.
Show Hidden Files. In Advanced Settings in your folder options, select “Show hidden files, folders and extensions” so executables can’t be disguised as other file types.

Are you interested in an ongoing program to regularly test and train your employees to ensure they develop a Zero Trust mindset?  AllConnected can assist your organization in testing the ‘cyberattack readiness’ of your end-users, launching simulated attacks, and determining the best areas to focus on for end-user training. Get in touch with us using the form below.