In our ever-evolving society, organisations are becoming increasingly reliant on online operations, leaving them more vulnerable to cyber threats than ever before.
One of the threats becoming more prominent to organisations are social engineering attacks, such as phishing, vishing, spear phishing and whaling.
While these attacks vary in level of complexity, the basic premise involves impersonating someone else via email, telephone or website in order to trick someone into giving them their personal information.
To protect yourself from such attacks, it’s important to know what to look out for.
What is a Phishing Attack?
A phishing attack is one of the most common attack methods users are likely to face and involve someone impersonating another of importance to gain insight and personal information for malicious gain.
Vishing is phishing via a VoIP service which can involve caller ID spoofing for a phone call from a ‘reputable company’ such as Amazon, PayPal, Microsoft Support or a local supplier such as gas, electricity or even the tax office.
Importantly, many vishing attempts will also be tied to a current affair, for example around the time a national census is occurring a malicious attacker may contact a victim posing as a census official. If successful, the data the attacker may receive would be a treasure trove.
Spear Phishing (Social Hacking)
Spear phishing involves the attacker directly targeting a specific organisation or person within an organisation with tailored emails containing personalised information to increase their probability of a successful attack. This is called whaling when targeting CEO’s or Executives controlling payments.
Commonly targeted user information in an attack
It is much easier to access a system with authority rather than trying to break into it, for example obtaining a user’s details such as a username and password.
Most password recovery systems require the user to answer several personal questions in order to reset a password, such as ‘what is your mother’s maiden name’. Through carefully constructed questions, a good ‘phisher’ should be able to obtain answers to these questions and use this information to gain access to particular systems. All too commonly, people will use the same email address and password combination for multiple systems, allowing for a multifaceted breach.
Another way an attacker may seek to gain personal information is by using confidential company information. Harvesting details such as mergers and acquisitions, management and personnel make it easier to contact unsuspecting targets. For example “your manager ‘x’ asked me to contact you about the current merger…”
Why are these attacks so “successful”?
Social engineering attacks have been “successful” because they invoke an emotional response in the recipient. Words such as “urgent response required” or “change your password now or your account will be closed” trigger a sense of urgency and can lower the recipient’s guard.
By masquerading as a trusted entity or person, victims may also believe they are passing over sensitive information for a legitimate reason such as to a Helpdesk staff member to assist them with ‘troubleshooting or account verification’
It’s not just about you, it’s about someone else
If you are part of a large organisation, it is not uncommon that phishing can be used casually to gain information to build a profile and possibly use some of the data to either access a system or further impersonate whaling to start sending fake invoices to the Company.
Protecting yourself against attack
We all have off days, and this is exactly what ‘phishers’ rely on for a successful attack. In order to protect yourself and your organisation, there are a few simple steps you can follow;
- Verify suspicious emails with a colleague or IT Professional
- Using an text-based or authenticator app two factor authentication (2FA) process to login will add a protective layer of security to your data. (Even if they gain access to your user name and password, they won’t have your mobile phone.)
- Keep your system’s operating system, browser and antivirus up to date. Modern browsers will have alerts for insecure, unsafe or known malicious sites. Having a cloud-based mail filter (SEG) is highly recommended. Reputable filters will detect and quarantine many suspected phishing and impersonation emails.
- Type in any URL’s yourself, DO NOT click on links sent to you. Ever.
- Beware of certain social cues and requests for example anything which is marked as “urgent” around payments or sending personal details such as passwords. Banks do not email you for your password; nor do they ring you up for it.
- Verify the person on the other side of the email or phone. This is very important, especially if you are contacted for payment or information. Confirm the caller by calling them back on a verified phone number. Check their email address carefully.
While a very real threat, cyber security is an issue that you can control with the correct systems, processes and procedures in place. The specialist cyber security team at RSM have a wealth of knowledge and are on hand to assist you with all your IT protection needs.
Author: Michael Palermo – Principal (IT Consulting), RSM.
Michael assists his clients to develop, use and integrate IT systems. His aim is to take the hassle out of resolving technical problems, provide solutions for users to maximise the value of technology and streamline their IT processes.
RSM is a sponsor of Startup News.