Many companies have heard of cybercriminals that try to steal company data or access internal systems by emailing you links which are directed to malicious websites. An alternative route is to finding weakness in a company’s network, website or internet connected devices such as CCTV systems, Printers or Wi-Fi access points, then continually attacking it until they gain access.
However, one of the lesser-known attacks, which has increased significantly since lockdown is an attack called social engineering. This type of attack doesn't rely on fancy software to gain access to your company data, it only relies on one thing, human psychology.
Social engineering is probably one of the most dangerous and continually increasing methods that criminals use to date. It preys on employees in busy working environments by using scare tactics or a sense of urgency to trick their victims into easily handing over sensitive data. Normally using an email, text message or telephone call to gain the information.
You might not realise it, but the chances are you or even someone you know has received some form of social engineering scam as there has been a 485% increase within the past twelve months. This is due to employees working from home due to the pandemic.
One of the most recent social engineering scams in the news was texts being sent from criminals claiming to be from Royal Mail demanding payment from victims to receive their parcels.
It's extremely common for these types of criminals to use similar techniques targeting companies. For example, they will look at public records to gain the names of decision makers within the business, assuming they have greater access controls they become primary targets. Another source of information is LinkedIn, Facebook and other social media platforms as many people post personal information without knowing such as date of birth, children's names, pet names and holiday locations, all of which are common passwords.
We thought we'd break down the two most common techniques used for social engineering, as well as providing you with information on how to reduce the risk.
|
|
Phishing involves sending out emails or texts to trick its victims into handing over sensitive data by using urgent and emotive language. It will usually target a random group of people and wait patiently to see who falls for the bait.
For example, sending out messages posing as Office 365 and claiming you have a number of emails that have not been delivered, is a form of phishing. The criminal can’t guarantee that everyone will believe they have important emails that have not been delivered, and then share their Office 365 username and password with the criminals. Similar emails could be stating that you have a new voice message, with an attachment containing a link to a third-party website. Once the link is clicked, a download is initiated, you have malware on your company network.
|
|
Think of it like fishing. Someone who is phishing will send out emails or texts as bait and wait patiently for someone to fall for it. |
|
Whereas with spear fishing (spear phishing), someone will target an individual or organisation by monitoring their patterns and tracking what they do. Once they have the resources they need, they'll go after this individual or group. |
|
Spear phishing is probably the scariest, dangerous, and most costly of all the social engineering techniques because phishing targets a group of random people, whereas spear phishing continually targets individuals within the business. There are many cases where a standard phishing attack has escalated to a targeted spear phishing campaign. For example, once access has been gained to an individual user mailbox, criminals can gain a complete overview of the company, see all emails sent internally and externally, as well as details about your customers and suppliers that you regularly have contact with.
They do this by finding out everything they can about this individual or group, whether that's through browsing your social media, hacking emails to see how others communicate with you, or stalking your online behaviour. This type of hacking can take weeks or even months to implement, as they attempt to get every detail exact so that their victims are more likely to believe the attacks are real.
An example of this could be the criminal asking you to make an immediate payment knowing that you are out of the country or attending a conference. Another example would be to monitor a compromised mailbox and await invoice instructions from a supplier, changing banking details within PDF's and tricking you or your customer to pay monies into a fraudulent account.
They could even copy an email that looks exactly like one that your finance department would send out. They will copy everything from the language and tone they use, to the signature at the bottom of the email. The email they send out could be targeted at your organisation asking them to confirm or send their most recent bank details, or their username and passwords. If a single person in your organisation falls for this, it grants the criminal access to a range of company data.
|
|
Our new service can help! |
|
CapNet have recently partnered with Barracuda who have always been one of the top market leaders in security. However, they previously designed their systems for corporate companies and not the SMB market, therefore outpricing themselves.
The good news is, Barracuda have recently released two cloud-based products that are designed to work with Office 365. Compared to their corporate pricing model, the SMB pricing is a lot more cost effective, yet you gain the same level of protection that would normally cost tens of thousands of pounds for a manageable monthly fee starting from £2.50 per mailbox, with the full product costing £6.50 per mailbox per month. This is a standard price no matter how many devices you use, effectively meaning you can protect a corporate mailbox for 0.21 pence per day.
We recently implemented Barracuda for one of our customers that have offices globally. We have been extremely impressed with the insight that the product gives as well as the level of protection. The example below is real data, with the company name and user details changed for privacy. This system has been implemented for less than two weeks. CapNet are offering a free insight scan which will scan through the corporate mailboxes and provide a report on previous phishing emails received. We are also offering free implementation normally charged at a minimum of £220 for the rest of April and May 2021.
|
|
Reviewing the data above we can see what countries the spam emails have originated from along with the graphs showing out of 6,862 received emails 2,218 where blocked as spam. |
|
We can also see that the company received 12 Advanced threats. (Advanced threats are targeted phishing attacks attempting to gain access and credentials) and 3 viruses.
This is a great example of how we must adapt and respond to the increase of threats to protect all businesses. It only takes one email to have been opened to compromise the complete business network.
If you are interested in this service or would like to find out more about how it can help your business, please give us a call today!
|
|
|
|
Please feel free to give us a call on:
03454 705 704
or visit our website:
|
|
|
|
|
|
|
