Phishing

A classic example is the tech support scam, and it comes in many varieties and levels of sophistication.

Over the past few years online service providers have been proactively messaging customers when they detect unusual activity on their users' accounts. Not surprisingly, cybercriminals have used this trend to their advantage. Many of the emails are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention.

Consider this fake Paypal security notice warning potential marks of "unusual log in activity" on their accounts:

Hovering over the links would be a dead giveaway that this is a phishing email, but enough targeted users click without thinking and scams like this continue. 

Spear Phishing

In a spear phishing attack, threat actors use a deep knowledge of the potential victims to target them, and that approach allows them to tailor the attack. These emails are more convincing and harder to detect than regular phishing emails. The attacker knows exactly who and what they're targeting.

Unlike mass phishing emails which may be attempting to distribute ransomware or gather individual login credentials to make a quick buck, spear phishers are normally after confidential information, business secrets, etc.

CEO Fraud

Here's an example of a CEO fraud attempt targeted at a KnowBe4 customer. She received an email from an individual purporting to be the president of the company. The employee initially responded, then remembered her training and reported the email via our Phish Alert Button, alerting her IT department to the fraud attempt.

When the employee failed to proceed with the wire transfer, she got another email from the threat actors, who probably thought they had her fooled:

Because this employee had gone through proper security awareness training, she was able to keep her company out of the headlines. This was a close call though, and not everyone is that lucky!

Social Media

Cybercriminals create bogus profiles on social media and try to trick you. They will impersonate a celebrity or one of your friends or colleagues. These profiles look very much like the real thing, and it’s easy to get tricked. They try to impersonate a celebrity that the cybercriminals already know you like a lot.

Let’s say you were tricked into believing a bogus Social Network profile. The next step is that they try to make you click on a link or install malicious software, often something to watch a video or review photos. If you click, or do that install, it’s highly likely you will infect your desktop with malware that allows the attacker to take over your PC.
 

Preventing social engineering attacks

We've pulled together some resources to help you defend against social engineering attacks. A good place to start is ensure you have all levels of defense in depth in place. Keep reading below to find out how you can make yourself a hard target, get additional content for yourself and your users and stay up to date with social engineering in the news via our blog.

Social engineering attacks, including ransomware, business email compromise and phishing, are problems that can never be solved, but rather only managed via a continued focus on security awareness training. Watch this video interview with Stu Sjouwerman as he explains why this is an ongoing problem and the steps required to manage it: 

Start with a baseline phishing security test to assess your organization's baseline Phish-prone™ percentage

Step users through interactive, new-school security awareness training

Run frequent simulated social engineering tests to keep users on their toes with security top of mind

10 Ways To Make Your Organization A Hard Target 

  • With any ransomware infection, nuke the infected machine from orbit and re-image from bare metal
  • Get Secure Email Gateway and Web Gateways that cover URL filtering and make sure they are tuned correctly
  • Make sure your endpoints are patched religiously, OS and 3rd Party Apps. Test the Flexera Personal Software Inspector on your workstation
  • Make sure your endpoints and web gateway have next-gen, frequently updated (a few hours or shorter) security layers, but don’t rely on them
  • Identify users that handle sensitive information and enforce multi-factor authentication for them
  • Review your internal security policies and procedures, specifically related to financial transactions to prevent CEO fraud
  • Check your firewall configuration and make sure no criminal network traffic is allowed out to C&C servers
  • Leverage new-school security awareness training, which includes frequent social engineering tests using multiple channels, not just email
  • You need to have weapons-grade backups in place
  • Work on your security budget to show it is increasingly based on measurable risk reduction, and try to eliminate overspending on point-solutions targeted at one threat-or-another

More Cyber Talk and Cloud Security

Generative AI and Cybersecurity
To optimize generative AI cybersecurity, business should establish rules and best practices for how to use generative AI technology in a secure manner.
Learn more...
Cybersecurity AWS
Cybersecurity is the practice of safeguarding computers, networks, software applications, critical systems, and data from potential digital threats.
Learn more...
Cybersecurity Azure Stack
The 44-million-dollar question: what is a phishing link?
Learn more...
Five social engineering trends to watch
Cybercrime continues to be a growing threat and attack methods are constantly evolving
Learn more...