Appeal to Human Nature to Prevent Cybersecurity Breaches
Phishing is one of the most common ways hackers use social engineering to gain access to your data and systems. Learn how to incentivize workers to stay secure.
Employees are in the spotlight today … and not in a good way.
Employees are increasingly the target of cyberattackers who recognize the vulnerabilities that can be exploited by targeting people, not systems. Increasingly, hackers are using social engineering (the manipulation of people so they give up passwords, credit card numbers or other sensitive information that can lead to system take-downs systems stolen data) to commit their crimes.
“Hackers have switched their game plan. Instead of trying to take down firewalls, they’re targeting employees,” notes the recent Cybersecurity Insight Report by CDW. “By using social engineering and simple phishing schemes to breach a company, they’ve discovered a low-tech, albeit very powerful way, to infiltrate networks.”
What Is Social Engineering?
Social engineering is a way hackers prey on human emotions and innate desire to trust another person. The consequences of this trust can be the infiltration of systems. Here are several examples of phishing attacks, one of the most common social engineering tactics:
- An email claiming to be from a corporate help desk asking an employee to change their password, citing an urgent threat
- A request from a supervisor to assist with a special project
- An email labeled Confidential asking an employee to review a memo about raises, a sensitive customer issue or a safety matter
The common thread? A desire to do right by the employer, supervisor or coworker. The common approach? Asking an employee to take action — clicking on an attachment, going to a website and/or sharing access information.
Employees who fall for these ruses end up providing hackers with valuable information that can lead to widespread system vulnerability. Websites are held ransom. Sensitive data are stolen.
Here is a look at some of the most common forms of social engineering that trick unsuspecting employees:
- Phishing. A common attack vector, phishing attacks are typically generated via email or text, seeking information or action
- Baiting. A victim needs to react to bait, such as a USB drive that, when connected to a laptop or desktop, unloads malware or viruses
- Email hacking. Similar to phishing, email hacks can send fraudulent emails to every contact in an email account, asking for a favor or spreading malware via an attachment
- Pretext. A classic attack vector, this approach uses a fake premise to get a duped employee to take action. This is the category that includes long-lost inheritances or distant deceased kings needing your help in accessing the money
- Vishing. A voice version of phishing, with a scammer posing as a co-worker, customer or partner with a critical need for someone’s login credentials or bank account numbers
- Quid pro quo. A fraudster can make a deal seem fair or a bargain, but it’s usually the cheater who comes out on top
How Can We Stop Social Engineering Attacks?
Businesses have ample tools at their disposal to prevent these attacks, including content filters; anti-phishing, anti-malware and anti-spam software; firewall and zero trust monitoring; and employee training. All are good parts of a comprehensive defense strategy.
But just as hackers appeal to base human desires with social engineering attacks, your defense should also include carrots and sticks. For the latter, that means testing employees with fake phishing attempts and requiring corrective training for those that fall susceptible.
On the other side, your business should reward employees that call out suspected emails, who thwart a vishing attempt or report a failure to follow policies related to authentication, verification or secure business practices. Following security guidelines should be a portion of performance evaluations. Rewards should be offered for identifying vulnerabilities and recommending solutions.
Appealing to human nature is at the heart of social engineering attacks. It should also be a part of your deterrence and awareness rewards, too.