Calligo Blog

The COVID-19 social engineering tactics everyone needs to be aware of

17 MIN READ

The COVID-19 social engineering tactics everyone needs to be aware of

Topics: IT Managed Services IT Security

By Calligo on 14 April 2020

In recent weeks, Calligo employees and our clients alike have reported an increase in the number of phishing attempts made as cybercriminals take advantage of the coronavirus (COVID-19) pandemic. It has become so prolific – and successful – that numerous IT security firms and law enforcement agencies, including the FBI, have released warnings.

 

The most common attack has been, as always, in the form of email. Most are preying on users’ concern and thirst for information, as content posing as Coronavirus health advice, educational content or financial relief encourages them to click on links and download/open Word documents and PDFs. If these are clicked on or opened, malware infects the device and compromises the network.

 

Despite the increase in security technology deployment – like anti-virus, malware, ransomware and SPAM – combined with strict processes, according to Accenture Security’s 2019 Cost of Cybercrime report, 85% of organizations still reported phishing and social engineering attacks in the last 12 months.

 

This is because a business’s biggest weakness to IT security, no matter what controls they have in place, is their employees. And during these bizarre times, the threat your workforce poses has never been greater.

Widespread and long-term working from home creates additional security threats that most businesses are unprepared for, and a perfect hunting ground for phishing attempts.

  •  Persistent and unavoidable reliance on unsecured home networks
  •  Likely use of employees’ own devices
  •  Greater difficulty of verifying email instructions in person
  •  The difficulty of continuous reinforcement of the security threats
  •  Natural human susceptibility

It’s a lethal combination.

 

The secret is to educate your team on how social engineering works, and what to be mindful of – not just in terms of the recent COVID-19 threats, but also more widely.  

 

To help businesses in these extreme times, we are sharing two useful guides that can help protect your data and network, plus a top tips to social engineering below.

 

Protect_your_Microsoft_365_Data_Better

How to protect your Microsoft 365 data

Discover the Microsoft 365 IT security features that seem to automatically actively protect your data, but do not. 

The_Top_9_SME_IT_Security_Threats

The Top 9 SME IT Security Horrors

The top cybersecurity threats facing SMEs, based on our observations of client networks and their vulnerabilities.

 

 

Social engineering – What does this mean?

 

Social engineering is the use of psychological manipulation to convince and trick people into providing confidential and/ or personal information. This tactic also involves sending links or documents in emails and text messages as well as across social media, that when clicked on could infect users devices or entire networks with malware.

 
 

Types of Social Engineering:

 

 Phishing:

Phishing attempts are one of the most common types of social engineering attacks. This is where cybercriminals use increasingly convincing communications such as an email or SMS message, and make it appear to come from an employee, a supplier, or even a financial institution. These messages will require you to click a link to either an infected page or to a website impersonating a well-known brand requesting you to “log in” (see typosquatting below). They can also include malicious attachments such as Word, Excel or PDFs and encourage the user to download or open the files.

  

SMiShing:

SMiShing uses text messaging or messaging apps such as WhatsApp to send and encourage users to click on malicious links and to give away personal information. Recently there has been a rise in SMiShing attacks spoofing government agencies such as health care, and financial institutions offering to give away information regarding the COVID-19 pandemic. However, SMiShing attempts can also like they have come from utility providers, online retail organizations and payment apps.

 

 Whaling:

A whaling attack is a communication designed to look like it has come from a senior member of an organization and targets high profile individuals or company executives and aims to steal sensitive information, gain access to the system or request a financial transaction. 

 
Vishing:

Vishing is a voice-based phishing attack and is oftensomeone posing as an executive of the organization or a contact from a known partner or supplier, requesting financial payments or information. The caller often sounds angry, irritated or panicked, which causes a stressful situation, often making the employee more likely to comply.

  

Baiting:

Baiting often pretends to offer something appealing such as free downloads, or as we’ve seen recently healthcare advice about COVID-19, this is known as “clickbait”. 

 

 Typosquatting:

Typosquating is when a cybercriminal will obtain domains with URLs similar to  well-known organizations and rely on users to make typos  and errors when typing in the URL. Unfortunately, these fraudulent sites can look so authentic that they request login and payment details or install malware onto a device solely by just landing on the page.

 

 Social Media:

Social Media is a tool that increasingly being used for up-to-date news and is providing cybercriminals twith a platform to set up fake accounts to promote “click-bait” posts, often masquaring as news, health care and financial advice.  Additionally, with more people documenting their personal lives on social media such as Facebook, Instagram and Twitter and unknowingly giving away personal information, it becomes easy for hackers to use the platform to find answers for passwords and IT security passwords such as the names of peoples’ relatives and pets.

 
 

How do I protect myself and my business from social engineering?

Here are a few tips on how users can avoid and combat social engineering attacks:

  • Do not open any links or attachments in emails from untrusted sources.
  • Be vigilant when opening any attachments, even when the email appears to be from someone you know. If you’re unsure, ask them.
  • Hover above a URL to verify beforehand, check for typos or wrong domains, if you’re still unsure, do not click on it!
  • Do not be fooled by “clickbait” offers!
  • Be wary of social media – how much personal information are you giving away? Don’t be tempted to click on links offering discounts or advice and news.
  • Ensure you use trusted media outlets and official healthcare websites to look for news and advice.
  • Always use strong passwords or passphrases

 

How Calligo can help

Calligo’s award-winning IT Managed Services includes IT Security services that address all three pillars of IT security and keep your business continuously protected from all attack types.

Our IT Security Services include:

  • Strategic security consultancy
  • Anti-virus, anti-malware, anti-ransomware and anti-SPAM
  • Security audits
  • Patch management
  • Penetration testing
  • Employee cybersecurity awareness training
  • Back-up & disaster recovery
  • Multi-factor Authentication

If you'd like to find out how Calligo can help your organization, get in touch by clicking the button below

 

Get in touch

 

 

Related Content

 

www.calligo.iohubfsZero_Trust_And_The_New_Normal

Zero Trust - the real
"New Normal"

Calligo's Chief Information Security Officer, Mark Herridge, has written this blog to discuss why organizations need to adopt an "Zero Trust" approach when it comes to their data security and what steps they need to take to protect their data.

Duo-2

Multi-Factor Authentication

Our team has extensive experience in deploying Duo multi-factor authentication - which can be utilized across any device and application - to secure networks of all sizes all across the globe