Cybersecurity threats are a real problem for businesses of all sizes. But you don’t only have to worry about patching security vulnerabilities in your company’s software. You also have to worry about social engineering scams. While traditional hackers get ahold of company data through sophisticated software, social engineers use psychological persuasion to get their hands on data. That means your employees could be handing over login credentials and other sensitive data to hackers without even knowing it.
When Social-Engineer.org tested engagements with individuals, they found that 90% will provide the spelling of their name and email addresses without confirming the requester’s identity. Sixty-seven percent will give out employee identification numbers, social security numbers, and birth dates.
It’s scary to think that any one of your employees could contribute to a security breach without malice. That’s where penetration tests (or pen tests) come in handy. By employing penetration testers, you can identify the vulnerabilities in your company through a safe avenue and use that information to better train your employees and mitigate the risk of social engineering scams. Consider these scams employees commonly fall for that you should be testing for in your company.
Phishing scams are the most common of all social engineering scams. With phishing scams, the hacker will send an email to an employee in your company from what looks like a legitimate email address. These could be emails from senders posing as a bank or another employee or business partner. The email might request sensitive data, such as asking the recipient to verify their account number or password. They might also include suspicious attachments that contain malicious files that infect your computer when opened.
Other signs of phishing scams include mismatched URLs (where it looks like one URL in the email text but is actually linked to a different URL) and a sense of urgency. No legitimate company will ask for usernames or password through email, so it’s best to delete these types of emails, especially if they’re from an unrecognized source.
Pretexting occurs when scammers use a fabricated scenario to gain information. This type of scam relies on creating a sense of trust between themselves and the victim, and it commonly occurs over the phone. For example, they might call an employee posing as one of the business’ vendors and get them to give up their company credit card information. They could also pose as a security software firm to gain remote access to the employee’s computer, which they can then install viruses on.
Baiting is a tactic that uses physical media to get someone to give up their information. Online, this might include enticing victims with a free movie download to get them to enter their login credentials from another site. Baiting also occurs with media like USB sticks. How it works is that someone leaves a USB stick containing a virus on it lying around, such as in the parking lot. A curious employee picks it up and plugs it into his computer, and he’s hit with a virus that can get into the company’s network.
Tailgating, or “piggybacking,” occurs when someone gains access to your system by using someone else’s authorized access and playing off their kindness. For example, they might befriend an employee to gain access to the building. They could also pose as a delivery person or other employee and slip in when an approved employee opens a locked door. This is a fairly easy scam to pull off in companies without high-security protocols.
Knowing these common social engineering scams will allow you to conduct penetration tests to better understand where your security vulnerabilities lie.