How to help prevent social engineering attacks
Your business might employ every high-tech security measure available, but the human factor can still leave your company vulnerable to becoming a victim of fraud through social engineering.
Social engineering is a cyberattack that relies on deception and preys on people's anxieties, helpfulness, and curiosity. In a social engineering attack, cybercriminals pose as coworkers, company executives, vendors, and clients to manipulate people into giving away valuable company information.
Emails, text messages, and phone calls are all used in these types of attacks. A social engineering attack can even be as simple as getting someone from your company to hold open a door to gain access into a secure area.
"Social engineering can take on many forms, but generally it involves tactics to get a bad actor of some kind access to a foothold in your network they can exploit further. Those bad actors will often try to create a sense of urgency to get the information they want and prey on people’s trusting natures."
Chief Information Security Officer, Huntington Bank
Resisting inherent helpfulness
Your company likely encourages a culture of service and kindness, but instilling a healthy dose of skepticism in your employees could protect your business. Implement cybersecurity protocols and trainings that empower employees to question suspicious or unexpected communications from people within and outside your organization. They should feel comfortable asking people to confirm details or insisting on using only verified contact information to discuss sensitive topics.
And do the same for emails. In a 2020 Act Zero report, more than half of cybersecurity professionals surveyed said email phishing attacks on their organization have increased since the start of the pandemic, with 30% reporting these attacks have been more successful during that time†.
Someone could pose as an internal source by creating an email address that replaces an “i” in a company name with the number one. If you’re not looking carefully, you could release private information that someone can use to gain access to your company’s data.
“While it’s important your company has means of eliminating things like phishing emails or blocking known malicious websites, you must also take the time to train and test your colleagues’ security awareness and their ability to detect and avoid suspicious content,” Hilt recommends.
He also recommends flagging emails that come from an external source, and stresses that employees should be extra cautious about them.
Guarding staffing information
Companies might be unintentionally giving away secure information on their own website. Business updates, personnel bios, and financial milestones could all potentially fuel cybercriminals’ attacks.
“While it’s frequently necessary for companies to share information about key leadership, contact points, and so on, they should balance how much information is shared externally. Sharing too much can provide additional information for bad actors to exploit,” says Hilt. “Companies should ensure colleagues who have public roles are well trained to avoid being caught by social engineering tactics.”
Criminals use open-source information to gain knowledge about a company, its leadership, and how it operates. Leadership profiles with too many personal details offer shrewd fraudsters what they need to craft credible emails. Information about projects or financial accomplishments could make criminals sound convincing enough to manipulate employees into giving away access to secure information.
Preparing your employees to combat social engineering
Most organizations rely on technology and human interaction. Unfortunately, that makes everyone a potential target for a social engineering attack.
Guarding your company against these types of attacks has become increasingly important during the COVID-19 pandemic. The number of complaints to the FBI’s Internet Crime Compliance Center increased 69% from 2019 to 2020, with reported losses greater than $4.1 billion‡.
Social engineering exploits peoples’ emotions and vulnerabilities, so it makes sense scammers are taking advantage of this situation.
“Bad actors are not above using times of crisis or distraction against users to get the information or access they’re looking for,” says Hilt. “Whether it’s the COVID-19 pandemic, an ongoing merger, organizational changes, or some other stress point, it’s important to understand that bad actors will take advantage of those situations, and we need to remain vigilant.”
Developing and implementing cybersecurity policies and protocols can help guard your organization against these types of attacks. When your company discovers an active threat, such as a fraudster posing as the CFO requesting secure account information via email, notify employees so they can be on the lookout for it.
The more knowledgeable your employees are about social engineering tactics, the better prepared they will be to avoid falling for them.
For more information on social engineering, and how to help avoid it, connect with your relationship manager.
†ActZero. 2020. Tackling Cyber Threats in A Newly Distributed Workforce. Menlo Park: ActZero. Accessed July 15, 2021.
‡Cybersecurity & Infrastructure Security Agency. Internet Crime Report 2020, p.3. Accessed February 11, 2022.
The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.
Lending and leasing products and services, as well as certain other banking products and services, may require credit approval.