How to Protect SMBs Against Phishing Attacks via Social Engineering

Tuesday, November 06, 2018

Timur Kovalev

294bb83c6b16fd49b4b29b275f319000

Social engineering and artificial intelligence (AI) are bringing about a new golden age of hacking for criminals. They are capitalizing on common online habits of everyday people to tempt them to click on or install harmful applications – in the guise of browser extensions, clickbait and more – each specifically targeted to the individual user’s online habits using AI.

Most breaches occur when employees make common, seemingly harmless mistakes. Now, this goes beyond forgetting to install updates or using overly simple passwords.  In fact, due in part to the rise of social engineering, employee mistakes account for the vast majority of breaches. Hackers are catching on fast, capitalizing on human nature and using AI and social engineering to target unsuspecting employees. Clickbait isn’t just about articles and pageviews – it’s about getting a backdoor into your network through unsuspecting employees.

These increasingly sophisticated attacks might look like a harmless browser extension or an article in a social media feed. Employees will likely assume they are legitimate (haven’t we all downloaded a music app or other favorite tool?). Unfortunately, behind these many commonly installed applications, lurks a more sinister motive: a hidden phishing device.

Varying Risk Factors

While training may be effective, it is unlikely to stop all employees from putting themselves unwittingly at-risk (particularly on their mobile devices over work networks). Small to medium businesses are especially vulnerable when it comes to these highly sophisticated attacks, so what do they need to know to safeguard against these threats?

First, organizations need to understand the types of phishing attacks. Spear phishing, for example, is a phishing attack targeted at specific individuals and can present a substantial risk to organizations. Spear phishing attacks pinpoint persons in the company with access to sensitive and/or valuable data. This could be anyone from a sales executive to an engineer on a specific project to the chief financial officer. While most phishing attacks broadly target employees with the hopes of catching just one, spear phishing is intended to focus on extracting data or credentials from specific individuals. We are seeing this increasingly as hackers become more aware of the value of specific targets and go after them.

Next, organizations need to understand basic prevention techniques. Phishing requires constant training, since humans are the targets, rather than computer systems. Phishing works because someone takes an action to provide access to cybercriminals, unlike other types of attacks. This element of social engineering requires organizations to train employees not once, but on a recurring basis. Many organizations are seeking hands-on training through simulations after finding that prior measures weren’t effective. Training employees how to inspect email header information and identify malicious “spoof” websites can help safeguard organizations against many common threats.

Mobile Devices in the Workplace

Mobile devices are increasingly becoming the vector through which hackers target employee networks. According to a recent report, the rate at which users are falling for attacks on mobile devices has increased 85 percent each year since 2011. Mobile devices are growing in popularity for attacks because they often lack endpoint security and have access to a wide variety of mobile applications and messaging services. This provides more opportunities for hackers to target employees, who may assume their personal device isn’t a threat to their employer’s network. New attacks use popular apps such as WhatsApp and Facebook to lure victims to download malware, which can expose data stored on these devices.

Having a bring-your-own-device (BYOD) policy is not without risks.  For example, the device may be taken to offsite for personal use where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. Additionally, devices, especially mobile phones and tablets, can easily be lost. If the device contains sensitive business information, or can connect to a corporate network to access such data, these behaviors seriously increase the risk of compromising company data.

Training Isn’t Always Enough

When the best training isn’t enough, SMBs should put technology in place to back up these efforts. People are human, and as such, they will often make judgement calls that may put them at risk despite the best intentions and training. To supplement training, technology that can identify threats where people might not even think to look is critical. A layered security approach that combines the use of technology, policy and training will be the most effective. Solutions like next-generation firewalls, endpoint protection, behavioral heuristics and more should all be explored when architecting the right strategy for your organization.

Ultimately, phishing attacks rely on social engineering, with the goal of putting something in front of an employee that will entice them to click (or download) without thinking about the consequences.

Attackers are constantly changing tactics, so ensuring that you are armed against the latest threats is critical. Look for solutions that automatically update in addition to training your employees at regular intervals to understand the latest threats. Creating a culture of security awareness is an important first step for any organization. 

About the author: Timur Kovalev serves as the CTO at Untangle and is responsible for driving technology innovation and integration of gateway, endpoint, and cloud technologies. Timur brings over 20 years of experience across various technology stacks and applications.

Possibly Related Articles:
12096
Security Awareness Security Training Phishing
Social Engineering spear-phishing Prevention SMBs
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.