When we think of online scams, for most of us, several images come to mind: Nigerian Princes who need us to make a transfer so that we can become millionaires, websites offering gifts for being their millionth visitor, and so on.
However, things have become so much more sophisticated. Not just because the methods used to con people are more complex in terms of how they can be detected, but also because thieves have learnt a vital lesson: their largest source of wealth isn’t isolated users, but the companies in which these users work. This is why the workplace has become their ideal target.
Types of social engineering attacks
These days, the trick doesn’t necessarily lie in getting a virus onto someone else’s computer. Instead, the aim is to get the users themselves to do the dirty work. This is what’s known as social engineering, a method by which a criminal will use us to carry out an action which will severely compromise our company’s IT security.
Broadly speaking, there are several types:
1.- Tech support. This has been one of the more frequent scams in recent years. Whether it’s via an email, a suspicious website, or even a phone call, we’ll receive a warning that something in our software or operating system has gone wrong, and that we need to get in touch with tech support ASAP. Time is the key element in this scam: if the criminal pulls it off well, they’ll manage to convince you that the longer it takes you to apply the solution, the worse it’ll be for your company. Once you contact them, there will be a vast array of possible cons: installing malicious software, providing credit card details, sharing confidential information about the company, to name but a few. If the employee complies, the scam will have begun.
This is a big deal. According to a study by Microsoft, tech support scams are the most frequent and most dangerous type of scam. In fact, in 2017, Microsoft received complaints from 153,000 users reporting this type of scam, 24% more than the previous year. What’s more, these complaints came from 183 different countries, which paints a dangerous picture of a scam which is happening at a global level.
2.- Software update. This is similar to the tech support scam, but in this case it almost always comes from a website. We’ll come across a banner telling us about a problem with our browser or operating system: a virus has been detected, you need to download the latest version of flash, and so on. If we click on these banners, we’ll end up installing malicious software on our computer.
3.- Identity theft. This one is especially common via email: we get an email which is supposedly from someone in the office (a boss, a workmate…) or someone high up in the company who we really shouldn’t ignore. If we fall into their trap, we’ll be tricked into installing software or giving out personal, financial or corporate information.
What to do to avoid this.
The worst thing about these attacks is that they don’t affect just the user: if these attacks are carried out in the workplace, the cybersecurity of the whole company will be in serious trouble. This is why it’s a good idea to take measures to avoid possible vulnerabilities.
1.- Employee awareness. Many employees tend to think that any possible scams will target the very core of the company. However, it’s precisely the lowest links in a company which are the weakest. Every company must make sure their employees are aware that they too are vulnerable.
2.- Some keys. If an employee gets an email that seems to be from the company’s corporate email address, are they sure that it really is? If the company’s name contains the letter ‘l’, have they checked that it hasn’t been swapped for a capital ’i’ to throw them off? If the warning is coming from a website, have they wondered why something like this would pop up in their browser? If they get a phone call, why would they get this call on their personal mobile? These kinds of tips won’t keep us completely secure, but they can be useful.
3.- It’s better to be suspicious. If in doubt, it’s better to be suspicious of everything, rather than putting a company’s cybersecurity at risk. If an employee has any kind of doubts, the best thing to do is to reach out to someone in charge to check the information before doing anything.
4.- Threat detection technology. With the human side of the problem solved, the technological problem also needs to be solved. To do so, companies need EDR (Endpoint Detection and Response) technologies, which will identify and predict possible threats, acting on them in the case of any danger. It’s what Panda Adaptive Defense 360 does, which, when faced with any threat, blocks every kind of danger or malicious software before it can be installed as a consequence of this type of scam.