As the front line of your cyber defence, your staff is the area most targeted by social engineering scams. Any one of your employees can become the target of social engineers. But HR and finance fall prey to hackers most often, as they have access to your company assets.
Consider the following hair-rising social engineering attacks scenarios:
During her lunch break, Linda from accounts is scrolling through funny cat videos and friend's photos on Facebook. She comes across a sponsored post which promises you a chance to win £100 M&S vouchers is she likes and shares. Instantly tempted by the offer, Linda shares the post with her friends and goes about her day.
What Linda doesn’t know is that whilst she was jumping at the opportunity to treat herself to an M&S grocery shop, a file laced with malware was downloading to her work computer, giving hackers access to her company’s sensitive data and payment details. It’s not until millions of pounds are missing from the business bank account that she realises her mistake, but by then it’s too late.
John, your HR manager, receives a call from the bank. They are calling to inform him that there has been a security breach. Could he provide the company account login details so they can check that nothing is amiss? Overcome by initial panic, he reads out the details to the bank employee, and once they reassure him all is well he gets back to work.
When his boss gets a bank statement showing a transfer to an offshore account in China, it’s with a sense of dread that John realises the phone call was not, in fact, from the bank. Alas, there’s not getting the money back.
You ring your front of house, Jane, asking her to book last minute train tickets to London, as you’ve just been called to go pitch tomorrow. As Jane rushes to make the purchase, she gets redirected to a new Payment Methods page. The new page looks like the rest of the website. Keen to secure tickets, she types in the card details and hits confirm.
What Jane doesn’t notice in her mad scramble to arrange the train journey is the slight difference in the URL. No one thinks much of it. Until you notice a large sum of money missing from your business account at the end of the month. At that point, there’s nothing your bank can do about it.
You receive an email from the Google Analytics team asking you to update your payment methods. They are having trouble verifying your payment. Keen to avoid any tracking downtime, you click on the legit looking link provided and use your email login details to make sure nothing is amiss.
A few weeks later you check your inbox on a Monday to find a response from your head of finance. They're confirming that they have transferred the sum your requested. Only, you haven’t requested such a thing. Digging into your ‘Sent’ folder, you find the scam email. It reads, ‘I’m boarding a plane out of the UK and won’t be accessible over the weekend, but we need to transfer money into xxx bank account ASAP.’
Its obvious cyber criminals have used your credentials and authority to defraud you of a substantial sum. No getting it back now!
Training your staff to spot social engineering attacks will allow them to confidently deal with phishing and minimise the cyber security risk to your business.
October is Cyber Security Month.
Get 20% all of our cyber training courses when you make your booking before 30st November 2108. To make a booking, please email firstname.lastname@example.org.