The first consideration for information systems in any company is how to keep your data secure. The threats to get company data are always present and it is up to the Information Security team to minimize these risks. Social engineering is a great threat to a company. Most social engineering attacks are targeted to a single person. These attacks focus on a single person’s willingness to help, greed, need for connection, fear tactics, or sense of responsibility. These manipulated attacks can be used to get employees to release company information if the employee isn’t properly trained to be on the lookout for these threats.
Every company has something hackers want. Whether it is employee information, account information, or company clients, it is valuable to someone. Social engineering is a way to obtain this information. Social engineering is a way to get employees to provide sensitive information for the purposes of fraud, system access, or gaining information. There are several types of social engineering attacks such as pretexting, phishing, baiting, tailgating, or quid pro quo. Phishing is probably one of the more recognized attacks.
Phishing is a more generalized attack as opposed to spear phishing which involves more time as it is a targeted attack (hence the term spear phishing). Phishing is a generalized attack through email or phone probing to get an employee to give out information about employees, accounts, clients, and other sensitive information. Phishing emails are getting more sophisticated as hackers develop their skills to mimic other companies, invoices, email aliases and web addresses. The differences are usually subtle but are visible if you know what to look for.
Phishing scams can come via phone or email. These probing attempts prey on a person’s feelings of urgency, importance, threat, fear, or obligation. The differences are minimal as well but with security training, the company work force can mitigate the risk associated with these scams. Phone calls may be used to appear as a threat or a reference inquisition. The person in charge of the primary incoming line should have a clear definition of what information can be provided over the phone, and what is not.
Incoming phishing emails may appear more sophisticated. These attacks are meant to look official with logos, even recognized names. However, there will be differences. A time stamp may be off, an email address has transposed letters, a questionable link that goes to an unrecognized web page. It is important to always be suspicious of incoming attachments and websites, even if it is coming from a trusted source. It will never be unacceptable to ask and confirm the request before submitting to the request. In most cases the source didn’t know their information was compromised. If the source was not aware of the threat made in their name, encourage password changes, and a malware or antivirus scan on the systems they use. In information security it is always sec“u r it”y.
Information System and Security professionals are always looking for the newest way to safeguard their company information. As a professional, you should. Server patches should be up-to-date, security policies in place and email filtering on mail services and firewalls at a minimum. However, focusing on the customer and working to serve them is another way to safeguard company information. An IT professional’s customer service skills will allow any user, no matter how simple the question, to seek guidance when finding a possibly malicious attack. If the employees feel safe it creates an environment where an employee is more likely to ask then to answer quickly in fear to a social engineering attack.