4 Social Engineering Scams: Get Cybersecurity Training

As the front line of your cyber defence, your staff is the area most targeted by social engineering scams. Any one of your employees can become the target of social engineers. But HR and finance fall prey to hackers most often, as they have access to your company assets.

Consider the following hair-raising social engineering attack scenarios:

The ‘Like & Share’ Sneak Attack

During her lunch break, Linda from accounts is scrolling through funny cat videos and friends’ photos on Facebook. She comes across a sponsored post that promises you a chance to win £100 M&S vouchers if she likes and shares them. Instantly tempted by the offer, Linda shares the post with her friends and goes about her day.

What Linda doesn’t know is that whilst she was jumping at the opportunity to treat herself to an M&S grocery shop, a file laced with malware was downloading to her work computer, giving hackers access to her company’s sensitive data and payment details. It’s not until millions of pounds are missing from the business bank account that she realises her mistake, but by then, it’s too late.

If Linda had been cyber security trained, she would have seen through the social engineering attack.

Hidden in Plain Sight

John, your HR manager, receives a call from the bank. They are calling to inform him that there has been a security breach. Could he provide the company account login details so they can check that nothing is amiss? Overcome by initial panic, he reads out the details to the bank employee, and once they reassure him all is well he gets back to work.

When his boss gets a bank statement showing a transfer to an offshore account in China, it’s with a sense of dread that John realises the phone call was not, in fact, from the bank. Alas, there’s not getting the money back.

John would have spotted the vishing attack if he’d received cyber security training.

The Subtle Redirect

You ring your front of the house, Jane, asking her to book last-minute train tickets to London, as you’ve just been called to go pitch tomorrow. As Jane rushes to make the purchase, she gets redirected to a new Payment Methods page. The new page looks like the rest of the website. Keen to secure tickets, she types in the card details and hits confirm.

What Jane doesn’t notice in her mad scramble to arrange the train journey is the slight difference in the URL. No one thinks much of it. Until you notice a large sum of money missing from your business account at the end of the month, there’s nothing your bank can do about it.

Had Jane gone to a cyber security course, she would have recognised the redirect as pharming.

The Authoritative Impersonation

You receive an email from the Google Analytics team asking you to update your payment methods. They are having trouble verifying your payment. Keen to avoid any tracking downtime, you click on the legit-looking link provided and use your email login details to make sure nothing is amiss.

A few weeks later, you check your inbox on a Monday to find a response from your head of finance. They’re confirming that they have transferred the sum you requested. Only you haven’t requested such a thing. Digging into your ‘Sent’ folder, you find the scam email. It reads, ‘I’m boarding a plane out of the UK and won’t be accessible over the weekend, but we need to transfer money into xxx bank account ASAP.’

It’s obvious cybercriminals have used your credentials and authority to defraud you for a substantial sum. No getting it back now!

If only you’d done the social engineering training course your IT provider recommended, you would have thought twice before entering your login details.

Training your staff to spot social engineering attacks will allow them to confidently deal with phishing and minimise the cyber security risk to your business.