Social Engineering and the dangers to your organization

As a small to medium size businesses in Grand Rapids or West Michigan you need to be aware that the bad guys are continually looking for ways to hack into your IT network. Cybersecurity technology protection should be part of risk management for every business in West Michigan. The example below highlights why you should invest in cybersecurity and to mitigate your risk.

Scenario:

Logging into work on a typical day, Jim, an employee at XYZ Corp., receives an email from the IT department. The email informs Jim that the company suffered a security breach, and it is essential for all employees to update their passwords immediately. Jim clicks the link provided, which takes him to a website that looks exactly like his company’s login page. A few days later, Jim finds himself locked out of his account, and quickly learns that the password reset link he clicked earlier did not come from his company.

Jim is a diligent employee. He took the steps needed to keep his account safe by following the directions from his IT team. While there might have been some signs the email was a forgery from an outside attacker, there were no obvious red flags. The email was clear in its logic and the login page was identical to the one he uses regularly.

The Deception:

But as it turns out, Jim was a victim of a phishing scam, a type of social engineering attack where the cybercriminal impersonated Jim’s IT department to gain his trust and trick him into revealing his login credentials. The login page Jim visited was a convincing duplicate of the company’s real login page, but in reality, it was nothing more than a trap set by the attacker to collect credentials.

Social engineering:

Social engineering is often used to obtain access or information through a technique called phishing. Typically, an attacker will impersonate someone the victim knows and convey a sense of urgency and importance in their communications to encourage the victim to take action. Some common phishing attacks used for social engineering include:

• Phishing: An attacker sends fraudulent emails or texts that appear to be from trusted sources to get individuals to reveal personal information. These are often generic in nature, and use bland pressure tactics, such as the data breach warning Jim experienced.
• Spear Phishing: A more targeted form of phishing where specific individuals or organizations are the intended victim. In Jim’s case, a spear phishing attack might have referenced a coworker, his employee number, or a project he was working on.
• Whaling: A specific type of phishing attack that targets high-level executives or important individuals within a company.
• Vishing: The telephone version of phishing, where the attacker calls the victim and pretends to be a legitimate organization asking for sensitive information.
• Smishing: This is the SMS version of phishing where the attacker sends fraudulent messages via text to trick the victim into providing sensitive information.

Social engineering enables attackers to victimize trusted users and then use the information obtained (often compromised credentials) to do damage to an organization. It’s reported that the use of valid accounts is the most common technique for an attacker to gain initial access to an organization.

As attackers get more sophisticated, it is important to improve your organization’s defenses to ensure only trusted users gain access to sensitive resources. i3 Business Solutions’ Fortress Cybersecurity Microsoft 365 Alert Service can help your organization protect its users and set up roadblocks to get in the way of attackers, even when they send convincing emails meant to deceive your employees.

• Device Trust: Reinforce your users by combining strong authentication requirements with device trust policies. Fortress Cybersecurity checks if the device is managed or registered and if it should be trusted. If it is, access is granted. If it’s not, the user is stopped before they can even attempt to log in.
• Password less Authentication: Implement a solution that requires a biometric at login, rather than a password. The biometric on the trusted user’s device unlocks a private key that is matched to a public key held by the application, enabling the user to log in. This makes traditional phishing attacks in which bad actors steal passwords obsolete.
• Contextual Login Evaluation: In the event of an attack, step up the authentication to require additional verification. This could involve entering a code from the access device, like a laptop, into a secure application, which a trusted user cannot do if they are not logging in.

In summary, i3 Business Solutions’ Fortress Cybersecurity offers comprehensive protection, allowing small businesses to safeguard their networks, build trust, and defend against evolving cyber threats.

If you’re concerned about your business’s risk and technology security, email Jim Hoffman @ JHoffman@i3bus.com, call 616-719-4142 or fill out the form below.