Skip to main content
Protect Yourself

Let’s Talk About Social Engineering Small Businesses

By November 14, 2018No Comments

If you work for, or with, small to mid-sized companies, you may think the risk of social engineering attacks is lower for you. You know all 30-100 people in your office so a stranger would stick out, you’re accustomed to their requests and how they behave. It may be easy to think that you would never get an unknown phishing email from HR or a vishing call from IT. After all, you know Bob from HR and Linda from IT very well. However, don’t let the small size of an organization give you overconfidence or a false sense of comfort. Social engineering small businesses is a favourite of attackers and it is often under-reported in the media. Additionally, it may be easy to fall into the trap of believing your organization is too small to be a target when there are much larger companies with bigger bottom-lines. However, the attacker is looking for the lowest hanging fruit, not necessarily the most lucrative. There are still lots of social engineering techniques that work effectively against small and mid-sized businesses. Attacks on these size of an organization are on the rise and they can be very devastating.  

Let’s talk about Social Engineering Small BusinessesLet’s Talk about Social Engineering Small Businesses

Popular Social Engineering Techniques Against Small to Mid-Sized Business

Even though you may be aware of all the individuals within an organization, do not underestimate an attacker’s ability to spear phish employees, even those in the C-suite. Many Chief Financial Officers (CFOs) in small businesses are the targets of spear-phishing campaigns, or very specific, individually tailored phishing emails asking the recipient to take an action that could compromise the network or financial well-being of the organization. An attacker may pose as the CEO or an authority figure that can make financial decisions and request the CFO wire some large sum of money to a contractor when, really, the CEO’s email address is being spoofed to make a fraudulent request that will send money directly to your attacker.  

Additionally, some roles in organizations require interaction with the outside world, which an attacker will quickly be able to identify. The sales and marketing departments, specifically, must engage with unknown entities and individuals. If the sales department receives a new Purchase Order (PO) or a sales inquiry with an attachment, it may feel very natural for those employees to click a link, download a document and agree to whatever prompts those documents present. However, POs should be treated with extreme caution as they are expected, external-facing documents and could present the recipient with malware intended to compromise your organization’s network.  

In the realm of impersonation, while you may know the face of everyone in your company, organizations interact with external contributors regularly. If your organization rents office space, anyone impersonating the cleaning crew, management company, service providers like pest control and package delivery, or even a frazzled looking spouse could present the opportunity for a malicious actor to breach your organization’s physical security.  

Social engineering small businesses is a lucrative endeavour with lots of options for an attacker. Given all of these entry points, how can small to mid-sized businesses effectively defend against social engineering threats?  

Protecting Your Company From Social Engineering

Good security requires defending on a variety of fronts. Try using as many of these recommendations as possible to protect your organization from malicious actors: 

  • Invest in a good security awareness program that includes both the training and testing of your employees. Having your employees understand where threats come from, what they look like, and how to report them are integral to a strong security posture; 
  • Hire at least one person to run the Security department specifically, don’t just rely on IT to handle both technical and security issues. Trust that a dedicated security professional is well worth their price; 
  • If your employees ever work from home or non-office locations, ensure they understand the dangers of public WiFi and equip your employees with strong, full tunnel Virtual Private Networks and/or personal hotspots; Employ a strong multi-factor authentication tool within your business; 
  • Ensure your employees verify requests, particularly any that ask them to click a link and/or run a program on their computer or send money;
  • Stress the importance of physical security and not allowing tailgating through badge-access doors, or following employees, into your building; 
  • Introduce yourself to, and work to befriend, the cleaning crew, mail and package providers, and other known contractors as well as individuals working on other floors (when applicable). Knowing what individuals orbit around your organization acts as the first line of defense against physical intruders; 
  • Ensure your employees are encouraged to ask any unfamiliar face why they are in the office and who to report suspicious activity to; and 
  • Be sure all employees, and particularly those in outward-facing roles such as sales and marketing, are properly trained on how to identify phishing, spear phishing, and vishing attempts.

Sources:
https://us.norton.com/internetsecurity-privacy-risks-of-public-wi-fi.html
https://www.idahostatejournal.com/news/local/cyber-security-threats-against-small-businesses-on-the-rise-in/article_9353a9d2-160b-5b8d-93e2-065a6bf17d22.html
https://myonlinesecurity.co.uk/more-fake-purchase-order-malspam-delivering-malware/
https://www.social-engineer.com/protecting-trade-secrets-from-physical-intruders/
Image: https://blog.cloudmark.com/wp-content/uploads/2016/04/Picture1.png 

Tags:

Leave a Reply

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now