Adaptation to the environment is the main vector of operation and survival for a business. The technological environment plays a crucial role in this process. As a result, cybersecurity becomes a fundamental pillar and employees are key players. Not in vain, 62% of incidents of this nature that take place in organizations happen due to human error, as reflected in the latest ‘Cyberthreats and Trends’ report prepared by the National Cryptologic Center.
This error may be due to carelessness in security, although an employee may also be deceived by cybercrime and, inadvertently, open the doors of the organization through one of these social engineering attacks. In other words, all those manipulation techniques used by cybercriminals to try to access confidential information, steal significant sums of money or take control of equipment, which are becoming increasingly elaborate and frequent. Whereas in 2016, just over 92,000 cybercrimes took place in Spain, in 2020 they rose to almost 288,000, according to the latest study on cybercrime published in our country.
Phishing, cybercrime's favorite technique
Phishing is known to be the most common attack technique used by cybercriminals, but there are many others. It is estimated that neglecting cybersecurity can mean an average recovery cost of €75,000 for an SME, and several million for a multinational. This type of criminal decides, for example, to extort money from company managers in exchange for recovering the group's information and not making it public or auctioning it on the Dark Web. This in turn explains why cybercrime is nowadays a franchise with an on-demand service that has a higher turnover than even drug trafficking.
Against this backdrop, the question arises as to what can be done to avoid falling into its traps. The first thing to do is to know how these types of attacks are carried out.
How do these attacks unfold?
Thanks to social engineering techniques such as phishing, cybercriminals gain the user's trust and are able to obtain their passwords or redirect them to fraudulent pages. But how do they get you to fall for this cyber-scam? Easy: by gathering all the information available on open network sources, such as forums, social networks or the media. And this of course includes companies. During this first stage, cybercriminals also select and sift through all kinds of documentation of relevance to their interests, such as lists of employees, email addresses or the company's organizational chart. With this information, they can better profile their scams and launch large-scale phishing (malicious email), smishing (fraudulent SMS) and vishing (fake phone calls) campaigns. They can even further personalize their frauds and impersonate a manager to contact an employee who is authorized to make payments and trick him or her into bypassing the usual procedure.
Cybercriminals gain the user's trust and are able to obtain their passwords or redirect them to fraudulent pages
The latter is known as CEO Fraud and is a much more targeted cyberattack. But there is an even more precise way of deception: the ‘whaling’ attack. In criminal jargon it gets this name because it targets the "bigwigs''; the criminals contact the CEO of the company in question directly and try to persuade him or her to provide them with confidential information or authorize some kind of transfer using these same social engineering techniques.
What are the most common hooks?
Cybercriminals often use this respect for authority, the desire to help others or the fear of being blocked from a service as a pretext. They appeal to fear or a sense of urgency, or tempt their target with a very attractive offer that will make them click on a fraudulent link and provide their credentials or execute an infected file.
The importance of being protected
The importance of being protected The best way to protect yourself against social engineering attacks is to raise employee awareness and make them key players against cybercrime. To do this, consider the following guidelines:
- Circulation of the security policy. Data security rules must be properly documented, regularly updated and always available to all employees.
- Develop a training plan. Select, first of all, the aspects that we want to deal with, the basic security procedures and controls; know and comply with regulations, laws and agreements; and then determine the correct use of resources and protection of personal data.
- General and specific training programs. Raise awareness among the entire staff of the existence and dangers of social engineering, and of personal responsibility for action or omission and its possible consequences. Analyze whether it is appropriate to develop specialized awareness programs for certain employee profiles and, of course, create an introductory training activity for new employees.
- Frequency of training. In this way we will achieve updated knowledge and reinforce emerging weaknesses.
- Training evaluation and awareness. It is vital to study the achievements of employees throughout the year.
- Extend these guidelines to third parties. Our environment can also be the victim of social engineering attacks that can affect our company. Therefore, it is important to ensure that our providers have awareness, education and training plans in place.
- Report, report, report. If we believe we have been the victim of a cyberattack, we must report it as soon as possible. This will help prevent the attack from reaching more employees.