Do you think your employees are too smart to be fooled by a hacker who tries to trick them into breaking normal security procedures? Brains and training may not be enough if they encounter a criminal who is good at social engineering.
We wrote about a social engineering experiment in the article Reduce Cybersecurity Risk via Employee Training. In this experiment, a surprising number of employees picked up an “abandoned” flash drive and inserted it into their corporate computers. You’ve probably warned your employees not to play with strange flash drives, and you’ve certainly told them to leave unfamiliar email links alone. But what if social engineering threats appear in disguise? What if they seem familiar?
Security Threats: Patent v. Latent
Here are some examples of patent (open) threats and their sneaky latent (hidden) counterparts.
Media Dropping. This is when a spyware/malware-infected data stick is planted, or “dropped.
As in the experiment described above, an unbranded data stick is lying “forgotten” on a table in a public place such as a cafe or airport.
A salesman from a recognized vendor meets with an employee. The vendor says his laptop or software is down, and asks if he can use the employee’s desktop or laptop to run his presentation.
Scareware. This is malware that makes you think you’ve just downloaded a virus. The real virus, however, is in the software that you are urged to download to fix the problem.
You click a Google search result and are taken to a garish page filled with pop-ups that scream “Danger! Untrusted! Scan your system now!”
You’re on an ordinary-looking website. You click a link that says, “More information.” Instead of going to another web page, an animation appears that makes it looks as though you’ve downloaded a file. Then a Microsoft-branded pop-up appears, warning that the file you downloaded is not trusted. You are urged to visit a Microsoft web page (which looks exactly like a real Microsoft web page) and download a tool to remove the virus.
Fake Email Links
You receive an email from a friend’s personal address. The subject line is very vague, something along the lines of “This is really cool!” You’re not personally addressed in the message, which is short and features a weird link, e.g., “This is really cool http://xertl.de”
You receive an email at your work address from a coworker’s work address. The subject line is complete and plausible, something along the lines of “Following up from the meeting.” The message addresses you personally, uses correct grammar and punctuation, and includes a good reason for the ordinary-looking link, e.g., “Emma — Here’s a great article that answers a lot of our questions. I found it very interesting. Hope this is helpful! — Brandon http://widgetreviews.com/healthcare/secure-widget-faqs”
Yes, hackers can be that sneaky! Malicious attacks tailored to a specific employee or organization are called spear phishing. The spear phisher is hoping that Emma will worry that she’s forgotten something that happened in a meeting, and will click the link to find out what’s going on.
Your Best Defense
As you can see, these scams are so hard to detect that even the most diligent employees can be fooled. This is why regular system backups and restoration testing are essential. If viruses or ransomware get through your defenses, you need to be able to restore your data as quickly and completely as possible. Also, If your data is backed up offsite, it needs to be securely encrypted. Talk to your IT provider about your backup and restoration options.
Dateline: March 23, 2016
Author: CMIT Solutions of Gilbert and Mesa