- April 1, 2022
- Posted by: Contego Inc.
- Category: Protecting Your Network
Social engineering is the second-highest cybersecurity threat in 2022, with ransomware coming in first. Every day, Google blocks more than 100 million phishing emails–and even more continue to make it through their filters. Cyberattacks have continued to rise throughout 2020 and 2021. As we move through 2022, many businesses continue to see a high degree of threats, many of which come in the form of social engineering.
Make sure your employees are prepared to deal with these key social engineering attacks in 2022.
1. SMS Phishing
Text phishing is becoming increasingly common–and unfortunately, many people are not yet fully aware of the potential implications. Text phishing, particularly to your work accounts, can take many of the same forms as other types of social engineering, including sending text messages that spoof multi-factor authentication requests or request payment from vendors that your company may work with. SMS phishing may seem more authentic due to the fact that many employees have not yet recognized the prevalence of text-based phishing scams.
Make sure that employees are used to deal with text threats as well as social engineering emails. Do not send private information, or requests for private information, through text, so that employees will know that they don’t have to worry about requests potentially coming from internal employees.
2. Spear phishing
While general phishing attacks are designed to target a wide range of users based on the information the hacker or scammer is able to gather about them, spear phishing attacks are generally designed to target specific individuals–often those at higher levels within the organization. Spear phishing attacks may aim to get login credentials or other vital information from people in positions of power throughout your organization.
Often, people at higher levels within your organization may sign off on potential requests or even hand over funds without thinking twice about it. Sometimes, spear phishing campaigns will attempt to solicit funds directly. In other cases, they may attempt to get the target’s login information or other private information so that they can log in and complete those actions on their own.
Sometimes, spear phishing will use an account pretending to be the CEO or another high-level individual in the organization to convince other employees to transfer funds, as in the FACC attack, where the business lost nearly $60 million due to a CEO fraud scam.
3. Emotional Manipulation Scams
Many scammers will use emotional manipulation to target businesses and private individuals alike. During the height of the pandemic, for example, Google blocked more than 17 million emails per day as scammers tried to play on pandemic-associated fears to convince targets to click malicious links that would ultimately lead to malware on the device.
Emotional manipulation can take a number of forms. For example, scammers might try to target people who want to donate to Ukraine, especially as war continues to rage. Many employees are still concerned with the potential impact of the pandemic on themselves and their loved ones. By manipulating those employees, scammers may be able to convince them to share private information or to click on links that might expose business devices to malware.
4. Ransomware Attacks Following Phishing
Ransomware attacks have become increasingly prevalent in the past couple of years. Ransomware locks users out of their devices and networks entirely, destroying the information left behind. Once a scammer gains credentials through phishing or spear phishing, the scammer or organization can escalate the attack, allowing them access to other corners of the network.
Increasingly, cybercriminals are using overlapping attack platforms that will provide them with access to greater levels of information.
5. Diversion Theft
Diversion theft has been around for years. Previously, scammers wild try to persuade a delivery driver or company to hand off a package at the wrong location, allowing the thief to take possession of a package intended to go somewhere else. Cyber crime has taken diversion theft to a deeper level. Now, cybercriminals can convince employees to divert funds or information to a location other than the one it was originally intended to go to. Sometimes, employees are convinced to pay invoices to the scammer, instead of to the right organization. In other cases, scammers may create invoices outright.
Decreasing the Impact of Social Engineering on Your Business in 2022
Managing the potential impact of social engineering in 2022 is more important than ever. Fortunately, there are several strategies you can use to help your employees avoid the potential impact of social engineering.
1. Make sure employees are properly trained and updated.
Your employees need to know how to spot signs of social engineering, from phishing emails to diversion theft. If your employees don’t have the information they need about potential scams and how to identify and avoid them, they may inadvertently open your business to loss or theft–and they may not have any idea that it’s happened until the disaster occurs. When employees are properly trained, however, they’re often better positioned to spot signs of social engineering.
2. Provide employees with tools for reporting social engineering scams.
Make sure employees know how to respond, whether they’ve been fooled by social engineering scams or not. Keep in mind that even well-trained employees can be fooled in some scenarios. Encourage employees to speak up if they have questions. You may also want to give them the tools they need to clarify genuine requests for information, including those that might come from your IT department.
3. Have a response plan in place.
Put together a comprehensive response plan that will allow your organization to react quickly in the event of a disaster. Section off impacted areas of the network, change passwords quickly, and put together tools that will allow you to respond effectively if you or your employees are compromised.
Social engineering is a serious threat to your organization, and one that continues to rise. Contact us today to learn more about potential threats, including where your organization is likely the most vulnerable and how you can act to protect it.