Why Social Engineering is such a big risk currently. The COVID-19 pandemic has forced everyone, individuals and businesses alike, to rely almost solely on virtual and electronic means for both business and personal communication. In the context of web security, this means cybercriminals now have more targets than ever—that is, people, the weakest link in web security. Due to the fear that many have over COVID-19, many people and businesses are even more vulnerable to promises of help related to concerns ranging from financial, health, personal security, legal, data protection, and others.
This sets the stage for social engineering—the tactic of extracting confidential or personal information through psychological manipulation, which can be carried out by sending links or documents in emails and text messages as well as across social media, which, when clicked on, could infect users’ devices or entire networks with malware.
As your organization or business reconfigures workloads and workflow, as well as communication protocols, be sure to have corresponding security measures in place to avoid falling victim to social engineering, which attackers are likely to carry out over the course of the COVID-19 pandemic in the following forms:
1. Phishing
One of the most common types of social engineering attacks, phishing is attempted most often through emails. Cybercriminals are now carrying out their attacks with increasingly convincing emails to the extent that it’s almost impossible not to believe they come from an employee, a supplier, a client, or even a financial institution.
Phishing messages typically require the targets to click a link that takes them to an infected page or to a fake version of a well-known brand’s website, where the target will be asked to “log in” (see typosquatting).
Phishing emails can also come with malicious attachments such as Word/Excel files or PDFs that targets are encouraged to open or download.
2. Vishing
Vishing is a voice-based attack often featuring someone posing as an executive of the target’s company. Or a representative from a legitimate partner or supplier and requesting financial information or collecting payments.
Vishing calls are often characterized by the caller being in a state ranging from irritation, anger, to full panic. Thereby creating a stressful situation that, paired with the caller’s “rank,” often urges the employee to comply.
3. SMiShing
SMiShing attacks employ text messaging or messaging apps such as WhatsApp and Skype to send messages to users that encourage them to click on links to a site or page where they are manipulated to provide personal information.
The recent rise in SMiShing attacks involves spoofing government agencies, such as health care agencies, and financial institutions, with the attackers offering information regarding the COVID-19 pandemic. In other SMiShing attempts, the attackers pose as representatives from companies like utility providers, payment apps, or online retail organizations.
4. Whaling
In a whaling attack, the targets are high-profile individuals or company executives, and the communication is designed to mimic official communication from a senior member of an organization, with the aim of either getting access to sensitive information or to the company/organization system, or requesting a financial transaction.
5. Typosquatting
Also known as URL hijacking, a sting site, or a fake URL, typosquatting is a form of cybersquatting, and possibly brandjacking.
In this type of attack, a cybercriminal will obtain domains with URLs similar to those of well-known organizations and exploit users’ typos and other errors when typing in the URL.
Because the fraudulent sites can look very authentic, attackers can request login and payment details, or install malware onto a device, simply by the target landing on the page.
6. Baiting
A cybercriminal perpetrating a baiting attack often lures their targets with offers (known as clickbait) that appear tailor-made to alleviate their situation, such as free downloads of videos of cooking healthy food, or, as has been recently common, healthcare advice regarding COVID-19.
7. Social Media
With social media’s rising popularity as a source of news and situation updates, cybercriminals now have a platform to set up accounts where they can promote click-bait posts, which they pass off as news or health care or financial advice.
As more people document their professional and personal lives on Facebook, Instagram, Twitter, and other platforms, unknowingly giving away personal information, social media is establishing itself as fertile hunting ground for cybercriminals, who use the platforms to get answers for passwords and IT security passwords such as the names of peoples’ pets or schools, or the titles of their favorite books.
Secure both your business and your staff with stronger web security ro reduce social engineering attack success
Without the influence of national- or global-scale crises, most web security breaches are facilitated by either simple human error, an honest human mistake, or human negligence. So now, more than ever, when almost everybody is working from home or adopting similar forms of remote work, businesses need to be vigilant over attackers psychologically exploiting their staff to get access to sensitive information, intellectual property, business funds, and private systems.
Small businesses, in particular, who are often misguided by the belief that they don’t have that much that cybercriminals would want, need to rethink their web security practices, especially now.
Discuss enterprise-class web security solutions like passwordless multifactor authentication (MFA) and SSO logins with TraitWare to make sure your organization comes out the other side of COVID-19 ready to move forward.