In a trend known as ‘social engineering’, cybercriminals are increasingly targeting people instead of software, hardware or network vulnerabilities. This means that employees are often the gap in the armour that cybercriminals exploit.
It’s therefore critical for businesses to regularly conduct cybersecurity training and refreshers and to ensure that their IT teams are able to support employees as they navigate increasingly dangerous cyber terrain.
What is social engineering?
Social engineering has existed since the first scam artist tried to defraud and steal from someone else. However, the digital age has turned social engineering into an extremely lucrative business. Social engineering can be used to scam an individual, or as a way to gain access to an entire network. In a nutshell, it is when scammers pretend to be from a legitimate business and try to manipulate individuals into giving them confidential information, such as passwords and bank information.
On an individual level, receiving an email, SMS or WhatsApp that looks like it comes from a legitimate body (such as your bank or the Revenue Services), but is in fact a link that allows malware (or malicious software) into your device is one form of social engineering. The malware gathers information until the cybercriminals can access your bank accounts and credit cards. A phone call asking you for your one time pin (OTP) is another form of social engineering. The scam artists often use urgency and fear to get people to open these unsafe links or share personal information.
The same tactics are used at a business level. Employees receive emails with suspicious links, and all it takes is one person to click on the phishing email for the hacker to gain access to the system. From there, they can spend weeks (or even months) slowly infiltrating the network, penetrating ever deeper as passwords are slowly cracked.
One of the best ways to keep your systems safe is to ensure that no one inadvertently lets a cybercriminal through the door.
Here are 7 simple tips that anyone can use to stay safe online:
1. Use strong, unique passphrases that are stored in a password manager
A passphrase is not a password. Instead, it’s a combination of two or more words, and the more the better. If possible, choose a phrase with a minimum of 10 characters, using a mix of capital letters, numbers, and special characters or symbols to increase the passphrase’s complexity.
Because you don’t want to use the same passphrase for multiple accounts, save your various unique passphrases in a password manager. Password managers are encrypted digital vaults protected by a single master password or passphrase, that can be used to secure sensitive data, credentials and your identity.
2. Use multi-factor authentication (MFA)
Two-factor or multi-factor authentication (MFA) gives you an extra layer of protection because it requires more than a password to access your accounts. With MFA enabled, you will need to additionally verify your identity with:
- Something you have (such as your phone)
- Something you know (such as a PIN, password, or secret question)
- Something you are (such as a biometric face scan or your fingerprint)
With MFA, a hacker can’t access your accounts, applications or devices if they only have your password.
3. Connect securely
Passwords and additional authentication factors are important, but these can be breached if you’re connected to an unsecure WiFi system.
Avoid using public or untrusted WiFi networks, especially when accessing or providing sensitive information, such as when online shopping or accessing your bank accounts. For organisations, using a VPN service before off-site employees can access sensitive company data is also a good idea.
4. Secure devices and keep software up-to-date
Always secure your device with a password, biometric feature (your fingerprint or face recognition) or a PIN/passcode (without using your date of birth or bank PIN numbers). Ensure you lock your device when you are not using it or set it to automatically lock after a period of inactivity.
You should also only install software from trusted sources and enable automatic updates on your devices and systems. These updates are released to address security issues and fix bugs – both things that hackers will try to exploit. Install updates as soon as you are notified and remember to reboot your device as needed to ensure the update is applied.
5. Use secure websites
We all have a tendency to trust websites, but it is very easy for hackers to set up ‘spoof’ sites that look like the real thing, but aren’t.
Before you provide any sensitive information on a website, including any banking or personal information, make sure you are secure:
- Check that the domain name is correct – phishing websites will often create fake websites with a similar URL similar to the website it’s trying to spoof
- Make sure the URL starts with HTTPS – the ‘s’ stands for secure, which means the website is an encrypted channel.
- Double check there is a lock icon to the left of the URL. You can also click on the lock to find more information about the security of the website, including its security certificate.
- Don’t click through certificate warning messages without reading them. Pay attention to them – they are issued by your web browser and they are warning you that there are security issues on the site you have visited.
6. Be alert to phishing scams
Phishing is a form of social engineering, which is typically via email and often conveys a sense of urgency. It is currently one of the most prevalent forms of cyberattack because it is easy to do and can target multiple individuals at once with the hope that someone will take the bait.
Spear phishing is a more dangerous form of phishing in which the email message is customised according to information the cybercriminal has already obtained about an individual to make the message more credible.
Often, the one follows the other. A phishing scam could be used to breach the outer cyber defences of an organisation. The client data that is stolen through the breach is then used for more targeted ‘spear fishing’ attacks.
Some warning signs to help identify an email scam include:
- The email is unexpected or not personalised
- It has a sense of urgency
- There is poor grammar and spelling
- The URLs look unusual when you hover over them
- There is an unusual address or ‘Reply-To’ address
- You’re asked to enter personal information, click on a link, open an attachment, or download a file.
Become cyber aware
Cyber awareness has become a crucial skill for every employee, on both an individual and business level. When we consider how many employees connect to secure business WiFi through their devices, how individuals behave when they are away from their desks and company-supported devices and networks becomes as important as the organisation’s official cyber security protocols, firewalls and software. Cybersecurity awareness is no longer a nice to have – it’s a must have.