Why Avast Warn of Social Engineering in Cybersecurity
Amidst organisations' focus on firewalls, AI-attacks, intrusion detection systems, and complex network security strategies, one crucial endpoint is often overlooked: the human element.
The report sheds light on this critical vulnerability, revealing that a staggering 90% of cyberthreats currently rely on a single tactic – social engineering – to exploit human psychology and gain access to sensitive information or systems.
With people being the weakest link in the security chain, this highlights the need for organisations to prioritise employee awareness and training to stay secure.
Here’s a look at the most common attacks and how to defend against them
Phishing
Most people are now thankfully familiar with the concept of phishing emails that attempt to trick recipients into clicking malicious links or downloading infected attachments. Yet, many have gone beyond the comically far-fetched days of being a prince low on credit. These emails now masquerade as legitimate sources, such as banks, credit card companies, or even internal company communications.
Defence: Train employees to be cautious of unsolicited emails and to verify senders by checking email addresses carefully (not just display names) and scrutinise links before clicking them or opening any attachments.
Pretexting
Pretexting involves creating a fabricated scenario to gain a victim's trust and extract information. Attackers might pose as IT support personnel seeking login credentials to "resolve an issue" or impersonate a colleague in need of urgent assistance.
Defence: Implement clear protocols for employee interaction with external parties to verify requests through established channels, such as internal ticketing systems or phone numbers obtained from official sources.
Quid pro quo
Quid pro quo is when the link willingly offers to work in doing something for the would-be hacker for a seemingly beneficial exchange, like free software downloads or even fake job opportunities in exchange for login credentials or financial information.
Defence: Educate employees about the dangers of unsolicited offers. Emphasise the importance of verifying the legitimacy of promotions and downloads before engaging or seeking approval for software installs.
Baiting
Attackers might leave infected USB drives in strategic locations or send messages with intriguing subject lines to pique the victim's interest and ultimately lead them to click on a malicious link or download infected content.
Defence: Implement clear policies on handling unknown or unsolicited physical media. Train staff to be wary of clicking on suspicious links or opening unknown attachments, regardless of the perceived benefit.
Vishing
Vishing attacks utilise phone calls to impersonate legitimate organisations, such as banks or credit card companies, to get victims to reveal personal information or financial details by creating a sense of urgency.
Defence: Train employees to be cautious of unsolicited phone calls, especially those requesting personal information or financial details. Encourage verifying the caller's identity through established channels before engaging.
Smishing
Smishing leverages SMS text messages to deliver phishing attempts to trick victims into clicking on malicious links or downloading infected attachments.
Defence: Train employees to be cautious of unsolicited text messages, especially those with a sense of urgency or requesting personal information.
Watering hole attacks
Watering hole attacks target specific groups of users by compromising websites they frequent. When users visit the compromised website, their devices become vulnerable to infection.
Defence: Organisations should educate employees about watering hole attacks and the importance of practising safe browsing habits. This includes being cautious of unexpected downloads or prompts to update software on unfamiliar websites.
Despite these threats being different, the commonality they share mean organisations can implement some principles that can keep their employees acting with best practice:
- Promote a culture of security awareness
- Implement best practice like password policies; look before click
- Stay up-to-date on threats and circulate around organisation
- Foster culture of reporting suspicious activity
Although Social engineering is a constant threat, by empowering employees with knowledge and implementing appropriate security measures, organisations can significantly strengthen their weakest link and avoid the risk of their employee falling victim to these manipulative tactics, and potentially stop a wider breach.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
