Did you know that the average worker gets 121 emails a day? With so many emails pouring into inboxes, it’s no wonder that phishing attacks are successful. Not only are workers tirelessly keeping up with answering their emails, but the attacks themselves are becoming more sophisticated—and they prey on tired employees who, without thinking, click on the malicious link or attachment.
Phishing emails are designed to look like they’re coming from a trusted source, and they often use similar templates, graphics, and language to legitimate emails. In fact, there is a recently discovered phishing scam that has a 90-percent success rate. The airline phishing attack is a well-researched attack that knows which airline an employee is traveling on, the destination of the flight, and even the price that the user paid for the ticket. The email then tricks the user into clicking on the flight confirmation in the attached document—where an advanced persistent threat is attached. Most emails even have a phishing link embedded in the email designed to capture users’ credentials.
Recently, we’ve also seen a few examples that MSPs have spotted while protecting their SMB customers. Each one mimics the layout that you would expect to see from UPS or DHL with two minor differences—a suspicious URL that’s revealed when you hover over the embedded link, and the sender’s email being off by one letter.
While these emails might not be as successful as the airline attack, it only takes one unsuspecting user to open the doors to hackers. As an MSP, you need to implement a multi-layered security approach to combat these threats. That means putting the right technical safeguards in place like a next-generation firewall and an email security solution that can identify typosquatting within emails. You also need to continue to educate your SMBs on how to identify cyberattacks. Attacks are continuously evolving and becoming more sophisticated, so keeping your SMB clients up to date on the newest tactics is critical.
Vulnerabilities beyond phishing threats
Personal information is worth a lot, so it’s no surprise that social engineers or human hackers, if you will, have become more sophisticated in stealing data whenever they can get their hands on it. In fact, the other day I was alerted to a scam that happened to one of my LinkedIn connections! To preserve the identity of my connection, we’ll call this individual Bob.
Bob has been actively job-seeking for six months, looking to pursue a new career path, potentially one with more growth. With a newly acquired Bachelor’s degree and an MBA under way, Bob sent out over a thousand applications hoping to hear back. With very few replies, other than “You have great qualifications but…,” Bob suddenly heard from someone claiming to be from Raytheon who wanted to conduct an online phone interview.
Just like a typical phone interview, it was an extensive conversation back and forth about personal qualifications and what the position would entail, benefits, salary and more. However, when Bob was asked to share personal banking information to set up his direct deposit over the phone, he realized the call was too good to be true. He immediately hit the brakes. Unfortunately, he isn’t the only one who has been targeted by phone scams like this.
In a recent article, the FCC warned the public of a new phone scam. In this scam, the social engineer calls the victim and simply asks if they can hear them. When the victim says yes, the voice signature is recorded and then later used to authorize fraudulent charges down the road. Think about this. Are your customers trained to protect themselves against social engineering attacks? While you may have every technical safeguard in place with your customer, it only takes one uninformed individual to open up the door to a social engineer. For MSPs this opens up an additional opportunity to further educate your SMB customers.
Protecting your customers despite social engineers
While it is critical to teach your customers about cybersecurity best practices, it’s also important for them to understand how to mitigate the risks of social engineering. While they may know not to click on a suspicious link or open an attachment from an unknown source—do they know how to protect sensitive company information over the phone?
Most individuals may realize that they shouldn’t give out their bank information during a job interview, but would they think twice about giving out business-confidential information out over the phone to someone asking the right questions? Consider adding best practices to guard against social engineering to your security training.
Teach your customers on how to identify common attack methods and how social engineers commonly extract confidential information. Suggest that they adopt call scripts to avoid confidential information being divulged over the phone, and most importantly encourage your customers to discuss what sensitive information is with their employees. All verticals are unique with information that is confidential, but common things include vacation time, personal information, health records, employee information, and even charitable donations.
When it comes to security, it only takes one mistake to be used against you. Whether it’s clicking on a convincing phishing link or divulging confidential information over the phone, social engineers are waiting for that one mistake—and it’s your job to help stop it.