With the recent additions of smishing and vishing, social engineering phishing attacks are becoming more sophisticated. Enterprises with technically sound cyberdefenses must still beware of social engineering attacks.
When enterprises talk about data breaches, they tend to focus on the latest cybersecurity technologies or cyberwarfare tactics. But one threat that is often neglected in these conversations is social engineering attacks, which continue to crop up — typically in the form of phishing. Social engineering relies on people’s natural emotional impulses to trick them into revealing sensitive information. Although phishing is often laughed off as a simplistic tactic to which only the computer-illiterate could fall prey, it has been used successfully for years — and often to the detriment of major organizations.
According to a recent phishing report conducted by Proofpoint, 83 percent of infosecurity professionals experienced phishing attacks in 2018. 67 percent of survey respondents dealt with one to five attacks per quarter, signaling a distinct uptick in incidents since 2017. Maintaining a secure network is a necessary defense mechanism, but social engineering cyber attacks are unique in that they are designed to succeed in the face of even the most stringent cybersecurity defenses. After all, anyone can have a tough day and mistakenly click on a fraudulent email link. Hackers have even begun diversifying their approach to cybercrime with different forms of phishing — namely smishing and vishing.
Phishing is the most common attack among cybercriminals and involves sending emails to users that direct them to fake websites designed to steal their data. These websites request sensitive information like account IDs, passwords, and credit card numbers under false premises. In the past, these emails tended to be easily recognizable due to careless spelling errors or incorrect logos, but hackers are getting better at making these emails look legitimate.
Smishing and vishing are the latest, and in some respects most dangerous, forms of phishing — not least because they’re less recognizable — but also because they’ve been adapted to the ways in which we use technology today.
Smishing (SMS phishing) uses text messages rather than emails to trick customers into giving away their information. Nowadays many people have text alerts set up for their bank accounts, so it isn’t particularly unusual for an individual to receive a text from their bank requesting account verification due to suspicious activity.
With vishing (voice phishing), bad actors call a customer and pretend to be representatives of an official organization like the government or the IRS. Vishing scammers may also spoof their caller ID so the number shares your area code or even looks like your own, knowing that people are more likely to pick up calls from numbers that are local. Callers will also try to record their targets, giving basic commands, like “yes” and “no”, or try to get you to recite numbers in order to splice together authorization codes.
Phishing attacks can wreak havoc on businesses in a variety of ways. Compromised accounts, data loss, and malware infections are the three most common outcomes of cyber attacks. In 2017, small to mid-sized businesses spent an average of $879,582 recovering from cybersecurity damages. Credential compromise has increased by nearly 70 percent since 2017 and reports of data loss have tripled since 2016. As enterprises grow increasingly reliant on digital technologies, the effects will undoubtedly be exacerbated.
The financial costs of phishing and subsequent victim outrage are well-documented by news outlets when data breaches occur. In the worst cases, victims’ private information is sold and circulated on the web for an extended period of time after the initial incident. Many people will blame the business rather than the phishers, which can result in lost customers and public relations costs. Behind the scenes, enterprises may incur critical losses to productivity and business reputation.
The key to preventing social engineering attacks is knowing how to spot them, which is why attack awareness training is so important. Enterprises have recognized that cybercriminals are increasingly exploiting vulnerabilities in people rather than technology, and 95 percent of Proofpoint survey respondents said they have begun training end-users to detect phishing attacks. 57 percent of infosecurity professionals have been able to quantify a reduction in phishing susceptibility because of attack awareness training sessions.
Educating employees on how to avoid phishing attacks is vital, but it’s also time-consuming. A near-constant cycle of cyber attack awareness training takes up valuable time that could be spent shoring up other security measures. What’s more, there’s only so much you can do to prevent social engineering attacks.
The cybersecurity experts at Turn-key Technologies, Inc. (TTI) can alleviate some of this pressure. Our teams can help secure your networks and manage your workload as your IT team takes up the responsibility of social engineering attack training. With nearly thirty years of experience managing and securing networks, we can provide the support you need to properly train employees to spot phishing attacks — including their most recent offspring. Our a la carte menu of managed services comprises a wide range of capabilities that you can rely on to secure your network and help your business run smoothly.