If you work for, or with, small to mid-sized companies, you may think the risk of social engineering attacks is lower for you. You know all 30-100 people in your office so a stranger would stick out, you’re accustomed to their requests and how they behave. It may be easy to think that you would never get an unknown phishing email from HR or a vishing call from IT. After all, you know Bob from HR and Linda from IT very well. However, don’t let the small size of an organization give you overconfidence or a false sense of comfort. Social engineering small businesses is a favourite of attackers and it is often under-reported in the media. Additionally, it may be easy to fall into the trap of believing your organization is too small to be a target when there are much larger companies with bigger bottom-lines. However, the attacker is looking for the lowest hanging fruit, not necessarily the most lucrative. There are still lots of social engineering techniques that work effectively against small and mid-sized businesses. Attacks on these size of an organization are on the rise and they can be very devastating.
Popular Social Engineering Techniques Against Small to Mid-Sized Business
Even though you may be aware of all the individuals within an organization, do not underestimate an attacker’s ability to spear phish employees, even those in the C-suite. Many Chief Financial Officers (CFOs) in small businesses are the targets of spear-phishing campaigns, or very specific, individually tailored phishing emails asking the recipient to take an action that could compromise the network or financial well-being of the organization. An attacker may pose as the CEO or an authority figure that can make financial decisions and request the CFO wire some large sum of money to a contractor when, really, the CEO’s email address is being spoofed to make a fraudulent request that will send money directly to your attacker.
Additionally, some roles in organizations require interaction with the outside world, which an attacker will quickly be able to identify. The sales and marketing departments, specifically, must engage with unknown entities and individuals. If the sales department receives a new Purchase Order (PO) or a sales inquiry with an attachment, it may feel very natural for those employees to click a link, download a document and agree to whatever prompts those documents present. However, POs should be treated with extreme caution as they are expected, external-facing documents and could present the recipient with malware intended to compromise your organization’s network.
In the realm of impersonation, while you may know the face of everyone in your company, organizations interact with external contributors regularly. If your organization rents office space, anyone impersonating the cleaning crew, management company, service providers like pest control and package delivery, or even a frazzled looking spouse could present the opportunity for a malicious actor to breach your organization’s physical security.
Social engineering small businesses is a lucrative endeavour with lots of options for an attacker. Given all of these entry points, how can small to mid-sized businesses effectively defend against social engineering threats?
Protecting Your Company From Social Engineering
Good security requires defending on a variety of fronts. Try using as many of these recommendations as possible to protect your organization from malicious actors:
- Invest in a good security awareness program that includes both the training and testing of your employees. Having your employees understand where threats come from, what they look like, and how to report them are integral to a strong security posture;
- Hire at least one person to run the Security department specifically, don’t just rely on IT to handle both technical and security issues. Trust that a dedicated security professional is well worth their price;
- If your employees ever work from home or non-office locations, ensure they understand the dangers of public WiFi and equip your employees with strong, full tunnel Virtual Private Networks and/or personal hotspots; Employ a strong multi-factor authentication tool within your business;
- Ensure your employees verify requests, particularly any that ask them to click a link and/or run a program on their computer or send money;
- Stress the importance of physical security and not allowing tailgating through badge-access doors, or following employees, into your building;
- Introduce yourself to, and work to befriend, the cleaning crew, mail and package providers, and other known contractors as well as individuals working on other floors (when applicable). Knowing what individuals orbit around your organization acts as the first line of defense against physical intruders;
- Ensure your employees are encouraged to ask any unfamiliar face why they are in the office and who to report suspicious activity to; and
- Be sure all employees, and particularly those in outward-facing roles such as sales and marketing, are properly trained on how to identify phishing, spear phishing, and vishing attempts.