October is National Cyber Security Awareness Month (NCSAM) and like Halloween, cyber threats can be pretty scary. This month, we will post a series of articles to help minimize IT security risks through end-user awareness and training.
Started in 2003, National Cyber Security Awareness month is a collaborative effort between the Department of Homeland Security the National Cyber Security Alliance. Each year, NCSAM highlights different themes with a strong focus on helping consumers avoid becoming victims of cyber attacks.
Because we are a Managed IT Service Provider for businesses and organizations in a multitude of industries, we wanted to focus on how cybercrimes affect companies. Cyber attacks are the biggest threat to organizations today, and they don’t just prey on large corporations. Cybercrimes targeting companies with less than 250 employees have steadily increased over the last five years, affecting 61% of SMBs in 2017.
Employees are the weakest link for organizations when it comes to cybersecurity. Even if your business has deployed all the security tools possible, including anti-virus and anti-malware software, firewall, email, and web filtering, etc., an action by a single employee can cost your business thousands of dollars or compromise customer and employee data. If attackers can bypass all of these methods, you can bet they are sophisticated enough to trick your employees into opening an attachment, clicking on a link or even transferring money to a fraudulent bank account!
So what are the most common ways these cybercriminals are using your employees to infect your network?
Social Engineering is a term used to describe the psychological manipulation of people into performing actions or divulging confidential information. There are several different ways cybercriminals use social engineering to attack businesses. Below are some examples, but we will talk about the most common type of scams more in-depth.
Phishing is still one of the most common methods cybercriminals use to trick employees, and the emails are getting better and more legitimate-looking. Gone are the days of phishing emails being easily spotted due to bad grammar, suspicious sender email addresses and low-resolution graphics. The new phishing emails are extremely convincing and oftentimes look exactly like the company they’re trying to emulate.
While phishing emails are usually general and sent out to a larger group of people in hopes of tricking a small percentage of the overall target, spear phishing attempts are mostly sent to 10 or fewer mailboxes. With spear phishing, attackers already know information about the victim or the company they work for, making the email all the more convincing. This information is sometimes gleaned from social media posts by the individual or company. Successful spear phishing is the cause for 95% of all attacks on enterprise networks, according to the SANS Institute.
Vishing, or voice phishing, happens when the victim is called and manipulated into giving up sensitive information over the phone. Typically, the attacker pretends they are with a bank, government organization or trusted company and requests account credentials to verify the victim’s identity.
CEO Fraud, also known as Business Email Compromise (BEC), is a type of spear phishing attack and continues to increase year over year. This threat targets employees and involves the attacker spoofing an email from the CEO or other top-level positions within the company to request a funds transfer or private personnel or customer information. The FBI reports that BEC attacks caused $5.3 billion in losses between 2013 and 2016.
Here is a CEO Fraud scam scenario:
A cybercriminal learns that John, the CEO of XYZ Corp, is out of town at a conference through a post on XYZ Corp’s Facebook page. The attacker checks xyzcorp.com for a list of employees and is able to get the name and email address of Jane in the accounting department. He then spoofs John’s email address and sends the following email:
“Jane, are you busy? I need you to process a large wire transfer for me as I will be tied up at the conference all day. Let me know when you’re available and I can send the recipient’s details. Thanks, – John.”
Jane responds “Sure, I can help. Please send me the information and I will take care of it as soon as possible.”
The attacker emails the amount of the transfer and account details and Jane transfers the money.
Cybercriminals have also used this method of attack to trick HR employees into sending W-2s and other sensitive information. Over 200 employers were attacked in 2017, leading to hundreds of thousands of employees who had their identities compromised.
The most effective way to reduce your cyber risks is by educating the employees in your organization so they know what to be aware of. Yearly and quarterly security awareness training is A MUST for every company, big or small, and especially for healthcare, government agencies, financial institutions, manufacturing, and legal companies.
It is your entire organization’s responsibility to be vigilant when receiving electronic and phone communication. Here are a few steps to help mitigate your cybersecurity risks:
Centre Technologies uses a layered security approach to protect our Secure Managed Services customers and IT infrastructure, which includes employee security awareness training. Check with your IT staff or service provider to see what they recommend for your organization.
To learn more about National Cyber Security Awareness Month, visit the linked National Cyber Security Alliance and the Department of Homeland Security pages.