As computer defense systems have caught up to the latest malware and cyber-attack capabilities, hackers and bad actors have gravitated to a tried and true method of gaining access to a company’s computer systems: human error. They are doing this via social engineering.
Social engineering is a type of attack that uses psychological manipulation to trick individuals into giving up sensitive information or performing actions that put an organization at risk. This can include tactics such as phishing scams, baiting, pretexting, and tailgating. The goal of social engineering is to exploit human emotions, such as trust, fear, or curiosity, to gain access to sensitive information or systems.
Organizations can take steps to prevent social engineering attacks by educating employees on how to recognize and respond to these types of threats. This can include regular security training and drills, providing clear guidelines for responding to suspicious emails or phone calls, and establishing a process for reporting suspected attacks. Additionally, implementing technical controls, such as two-factor authentication and email filters, can help prevent successful social engineering attacks.
One of the more common methods is gaining access to a company’s email servers via phishing and then using the information learned to spoof how a supplier/business contact communicates to trick the unsuspecting employee into issuing payment. The employee believes this is a legitimate invoice. The only difference is this is a fake invoice and once the money is received, it is often moved offshore as quickly as possible and usually unable to be retrieved even if government entities get involved.
The easiest step to prevent incidents like this is have your employees call the person that is seeking payment to verify they sent the communication in question. It can seem like an unnecessary step but think about a typical larger invoice from one of your regular suppliers and ask yourself if you could reasonably afford to have that amount of money vanish with nothing you can do to get it back.
If an event does happen, early reporting greatly increases the likelihood of the money being kept from leaving a US bank. Please consult this link to find the right agency to report a loss to. If it is reported in the first 24 hours, the chance of being able to recoup those funds increases tremendously.
Reach out for more tips and strategies for protecting your business.