Did you know that 95% of all successful cyberattacks begin with a phishing scam?
And that’s just one type of social engineering, a hacking method that puts us, our families, and our businesses at risk on a daily basis.
The unfortunate truth is that our personal information has a hard dollar value, and bad actors are relentless when it comes to finding new ways to trick us into divulging this information to them. The good news, however, is that we are in a good position to avoid falling victim to these scams if we know what to look out for.
Below we’ll walk you through what social engineering is, and our top 10 tips for staying safe.
What is social engineering?
“Social engineering” is when malicious parties exploit human trust or error to gain access to valuable information including passwords, credit card information, banking information, Social Security Numbers, and more.
Sometimes the hacker will manipulate us into handing over this information via email, phone, fake website, or otherwise. Other times they’ll find ways to put malware onto your computer, which gives them direct access to your information and possibly even full control of your machine.
These scams can be carried out many different ways, including:
- Phishing emails
- Vishing (voice phishing)
- USB “plants”
- Fake IT support calls (“quid pro quo”)
- Fake sales/deals (“baiting”)
Here’s a fascinating (and scary!) example of vishing that shows how easy it can be to execute one of these scams.
As troubling as these hacks are, the right education can do wonders to help us stay safe. Below are some security best practices you can follow to help minimize your risk.
Top 10 tips to avoid social engineering hacks
To avoid these dangerous scams, follow these tips.
- Learn how to identify phishing emails and DELETE them. Spam filters are not foolproof, and scam emails will get through to your inbox. Know the red flags that identify emails that are likely scams. We have an infographic on this you can download (and hang on your whiteboard or office fridge!) here.
- Be suspicious of ALL requests—email or phone—for sensitive information. Even if a request for information appears to come from a company or a person you trust, don’t take it at face value. If a request comes over the phone, hang up and call them back on a verified number. If a request comes over email, make a phone call.
- Get verbal and/or written authorization for all financial transactions. Hackers are very good at making requests for financial transactions seem legitimate—an email can appear to come from your CEO with an urgent request for funds, and well-meaning accountants and CFOs will fulfill the request without hesitation. Don’t make any transfers until you have explicit approval in a different medium than the original request.
- If you aren’t expecting an attachment or link, do NOT click on it. If you receive an invoice, delivery receipt, résumé, or any kind of email attachment that you were not expecting, don’t open it—it could likely be infected with malware. If you think it might be legitimate, ask your IT team to determine whether the file is safe before clicking on it.
- Don’t plug any foreign USB/thumb drives into your machine. This is more common than you might think—bad actors will load USB drives with malware and leave them in an office, coffee shop, or anywhere that a curious person might pick it up and plug it in. If the drive isn’t yours, leave it alone.
- Use a password manager. Using strong passwords is good, but using a password manager is better. These programs help you create and organize your passwords, and many will flag any passwords that may have been compromised so that you can change them immediately.
- Use multi-factor authentication wherever possible. Multi-factor authentication adds another layer of security to your accounts in addition to your password. If you have this enabled, hackers who somehow obtain your passwords still won’t be able to access your accounts.
- Use a VPN, especially if you’re using free public WiFi. Unsecured WiFi connections are an easy way for hackers to intercept sensitive information. If you have to use an open connection, use a Virtual Private Network (VPN) to shield your activity from prying eyes.
- Back up everything. Most organizations have their servers backed up. Make sure your laptops and cloud file storage systems are backed up, too. In some cases of potent malware infection, restoring your data from backup is the only way to recover.
- If you think you’ve been compromised, shut off your machine and call your IT team. If you suspect you may have clicked an infected link or attachment, or browsed to a malicious site, shut off your device immediately so that the infection doesn’t spread. Then call your IT team so that they can handle it for you.
If your organization doesn’t yet have a formal Security Awareness Training program in place, we urge you to consider implementing one soon. We include this service in our fixed-price IT support solution for our clients given how absolutely critical education is to a company’s overall security posture.
Using education, reinforcement, phishing simulations, and more, these programs will train your staff how to avoid social engineering scams, and generally how to become your business’s strongest line of defense against a cyberattack.
Because when it comes to security, the old adage rings true: knowledge is, indeed, power.