Whether it’s your work or personal accounts, your digital profile says a lot about you, your company, and your contacts. Are you part of the almost 69% of U.S. adults who use Facebook? Or, perhaps you are one of the 303,000,000 active users on LinkedIn. Think about all the information you have online: interests, frequent locations, contact lists, recent searches, shopping history, purchases, etc. All of these data points (yes, all of them) can be used by an attacker to gain knowledge and target you and/or your company for phishing or vishing scams. In fact, in 2018, the FBI’s Internet Crime Complaint Center reported in their Internet Crime Report that 26,379 businesses were victims of vishing and phishing, accounting for $48,241,748 in losses.
How Do Attackers Infiltrate an Organization’s Digital Profile?
In many cases, all it takes for an attacker to infiltrate your company is to have you click on a malicious link. This link can be sent in the form of an email, social media direct message, instant message, or text message. Phishing attacks have become increasingly clever. However, by being aware of criminals’ possible attack methods, you can be active in staying safe and secure.
Before an attacker sends out a malicious link or makes a phone call, they perform research on the publicly open Internet using Open Source Intelligence (OSINT) techniques to learn about their target. Next, they search social media accounts for any personally identifiable information (PII) and continue to search online sources for data containing spreadsheets, breached databases, and repositories containing compromised login information. After the criminal obtains a set of credentials, they now have potential access to the company’s systems, documents, and other accounts. They’ll use these ill-gotten credentials to log directly into your company’s network to further infiltrate and gain a deeper understanding of the innerworkings of your company.
Now that the attacker has accumulated the information needed for a strong and believable pretext, the success rate of the phishing email is greatly increased. Likewise, for vishing; the better the criminal is equipped with knowledge of their target, the easier the vish is. For a visher, this means learning the lingo, jargon, and acronyms of their target or target’s company. Both vishers and phishers work to figure out names of clients, systems, and departments and understand security procedures employees have for email and phone call identity verification to increase their chance of success.
The research is worth the effort because malicious vishers and phishers gain credibility when they have a valid user ID and seem to know ample information about the innerworkings of the company.
How Are Attacks Used Against Businesses?
There are a multitude of reasons why an attacker would want to infiltrate a company’s network. For example, according to research done by Ranconteur, the number one reason attacks are conducted is to hold the data for ransom.
How much could your business stand to lose if an attacker infiltrated your company’s systems? For instance, how valuable do you consider your data, employee names and emails, client contact information, and company financials? If an attacker were to infiltrate your network, they could affect your data and systems in any of five major categories, “deceive, degrade, deny, disrupt, destroy”. Once a breach occurs, it becomes easier for the attacker to discover other weakness in the business. They now have a deeper know-how of the company operations and can move laterally or vertically to better perform additional phishing and vishing attacks to gain access to other parts of the business.
All attackers are on the lookout for one thing: data. Whether it’s personal or business information, the more an attacker collects, the more capable they are to finish their job successfully. Data theft could result in legal liabilities, compromised financial accounts, and a loss of competitive advantage for a business.
How Can Organizations Protect Themselves Against Vishing and Phishing?
Securing your digital profile is the first step to protecting yourself and your business.
These are some actions you can take to ensure your digital profile becomes and remains secure:
- Keep your software up to date, especially security updates.
- Be familiar with, and routinely check, privacy settings.
- Use strong passwords that include a combination of numbers, letters, and symbols (Online password generators and managers can help you make strong, safe passwords).
- Always use multi-factor authentication to secure your accounts.
- Never login to personal accounts from company systems.
- Never navigate to a website from a phone call or email link. Always go to a browser and type in the URL to get to known websites.
- Always check the validity of callers. Request the caller’s email address to send a message to verify their identity. If the caller claims to be internal, always look them up via employee directories. Ask for their manager’s name or an employee ID.
- Train associates on how to properly answer, identify, and react to suspicious calls and emails. Social-Engineer can assist with developing and implementing your business’s security training program to protect against phishing and vishing.
To protect against leaked credentials, act as the hacker would and scout the Internet for any potential breaches. Dehashed.com and haveibeenpwned.com can perform a quick search across a plethora of data breaches to determine if your credentials have been compromised. And, if your credentials were compromised, immediately change your login information. The National Cyber Security Awareness Month (NCSAM) is the perfect time to implement security measures and safeguards to protect your digital profile and the profiles of your loved ones. However, don’t be security conscious for just one month out of the year. Make security a way of life, 365 days a year!