15 MIN READ
The COVID-19 social engineering tactics everyone needs to be aware of
Topics: IT Managed Services
In recent weeks, Calligo employees and our clients alike have reported an increase in the number of phishing attempts made as cybercriminals take advantage of the coronavirus (COVID-19) pandemic. It has become so prolific – and successful – that numerous IT security firms and law enforcement agencies, including the FBI, have released warnings.
The most common attack has been, as always, in the form of email. Most are preying on users’ concern and thirst for information, as content posing as Coronavirus health advice, educational content or financial relief encourages them to click on links and download/open Word documents and PDFs. If these are clicked on or opened, malware infects the device and compromises the network.
Despite the increase in security technology deployment – like anti-virus, malware, ransomware and SPAM – combined with strict processes, according to Accenture Security’s 2019 Cost of Cybercrime report, 85% of organizations still reported phishing and social engineering attacks in the last 12 months.
This is because a business’s biggest weakness to IT security, no matter what controls they have in place, is their employees. And during these bizarre times, the threat your workforce poses has never been greater.
Widespread and long-term working from home creates additional security threats that most businesses are unprepared for, and a perfect hunting ground for phishing attempts.
It’s a lethal combination.
The secret is to educate your team on how social engineering works, and what to be mindful of – not just in terms of the recent COVID-19 threats, but also more widely.
To help businesses in these extreme times, we are sharing two useful guides that can help protect your data and network, plus a top tips to social engineering below.
How to protect your Microsoft 365 data
Discover the Microsoft 365 IT security features that seem to automatically actively protect your data, but do not.
The Top 9 SME IT Security Horrors
The top cybersecurity threats facing SMEs, based on our observations of client networks and their vulnerabilities.
Social engineering is the use of psychological manipulation to convince and trick people into providing confidential and/ or personal information. This tactic also involves sending links or documents in emails and text messages as well as across social media, that when clicked on could infect users devices or entire networks with malware.
Phishing attempts are one of the most common types of social engineering attacks. This is where cybercriminals use increasingly convincing communications such as an email or SMS message, and make it appear to come from an employee, a supplier, or even a financial institution. These messages will require you to click a link to either an infected page or to a website impersonating a well-known brand requesting you to “log in” (see typosquatting below). They can also include malicious attachments such as Word, Excel or PDFs and encourage the user to download or open the files.
SMiShing uses text messaging or messaging apps such as WhatsApp to send and encourage users to click on malicious links and to give away personal information. Recently there has been a rise in SMiShing attacks spoofing government agencies such as health care, and financial institutions offering to give away information regarding the COVID-19 pandemic. However, SMiShing attempts can also like they have come from utility providers, online retail organizations and payment apps.
A whaling attack is a communication designed to look like it has come from a senior member of an organization and targets high profile individuals or company executives and aims to steal sensitive information, gain access to the system or request a financial transaction.
Vishing is a voice-based phishing attack and is oftensomeone posing as an executive of the organization or a contact from a known partner or supplier, requesting financial payments or information. The caller often sounds angry, irritated or panicked, which causes a stressful situation, often making the employee more likely to comply.
Baiting often pretends to offer something appealing such as free downloads, or as we’ve seen recently healthcare advice about COVID-19, this is known as “clickbait”.
Typosquating is when a cybercriminal will obtain domains with URLs similar to well-known organizations and rely on users to make typos and errors when typing in the URL. Unfortunately, these fraudulent sites can look so authentic that they request login and payment details or install malware onto a device solely by just landing on the page.
Social Media is a tool that increasingly being used for up-to-date news and is providing cybercriminals twith a platform to set up fake accounts to promote “click-bait” posts, often masquaring as news, health care and financial advice. Additionally, with more people documenting their personal lives on social media such as Facebook, Instagram and Twitter and unknowingly giving away personal information, it becomes easy for hackers to use the platform to find answers for passwords and IT security passwords such as the names of peoples’ relatives and pets.
Here are a few tips on how users can avoid and combat social engineering attacks:
How Calligo can help
Calligo’s award-winning IT Managed Services includes IT Security services that address all three pillars of IT security and keep your business continuously protected from all attack types.
Our IT Security Services include:
- Strategic security consultancy
- Anti-virus, anti-malware, anti-ransomware and anti-SPAM
- Security audits
- Patch management
- Penetration testing
- Employee cybersecurity awareness training
- Back-up & disaster recovery
Find out more about our IT Security Services here.