Skip to main content
Protect Yourself

Stay Safe Online: Protect Your Business from Online Threats 

Cybersecurity Awareness Month (CAM) is upon us again! This year, the theme “Stay Safe Online” hones in on simple and easy ways to protect yourself, your family, and your business, from online threats. Just like working out and healthy eating habits, small changes can contribute to the overall health of your security posture.

There are 4 core things you can do to start:

  1. Use strong passwords and a password manager
  2. Turn on multifactor authentication
  3. Recognize and report scams
  4. Update your software

Shocking, right? Well, probably not. Chances are, you’ve heard these core 4 steps a hundred times. They’re “core” for a reason; they work!

One of these steps stands out to us because it isn’t a technical setting, it’s a human based initiative: Recognize and report scams. True, we have email safety in place and caller ID for our cell phones, but what if a scam bypasses those protections? How can we recognize a scam for what it is, and how do we report them? Today, let’s look at this from the perspective of how we can do these things within our business.

This topic is a vast one, and if we list ALL possible scams and ALL possible methods, we would 1) bore you and 2) our list would never be complete. So instead let’s look at 3 areas we can briefly dive into applying within our businesses:

    • Proper Verification
    • Non-punitive Culture
    • Reporting Methods

Proper Verification

Just the other day, one of our employees received 2 emails. Both emails were supposed connections from LinkedIn reaching out to potentially collaborate with this particular employee. The interesting part, though, is that these connections each reached out via email, and not within LinkedIn itself. Our employee did the right thing, they reached out to each connection using another method (this time it was LinkedIn messaging), to verify the messages were legitimate. In one case, the connection confirmed the message and email, and a great relationship was formed after some correspondence. In the other case, the connection never reached back out to our employee.

So, here we have one example with two parallel outcomes. What can we learn? Well, first, if the message is legitimate, then there is no harm in confirming this. Additionally, proper verification is necessary no matter what form of contact the other party attempts. And remember; trust your gut. If something feels off, or you’re wary, don’t discredit yourself! Again, there is zero harm in confirming the legitimacy of a message.

Non-punitive Culture

If you don’t currently own a company, then imagine for a moment that you do, and one of your employees reports a phishing email. Now, the link in this email led to a malicious credential harvesting site, and your employee interacted with this site before realizing the danger. After entering their information, though, alarm bells rang in their head. Suspicious, they report the method to their security team.

After looking into it, the security team is able to determine that the site was indeed malicious and are able to lock down the employee’s account and permissions within their network. Because your employee reported this incident, your company is saved from a breach.

You now have a couple options:

      1. You can punish the employee for interacting with the link, or
      2. You can thank them for reporting it, explain the potential consequences if they had not, and provide them with further training in phishing.

You may see where we are heading with this. If you take the first action, possibly even firing the employee, what’s your next step? Filling their role. There’s a chance you fill their role with someone more security conscious and someone who has never clicked on a phishing email link before in their life! Chances are, though, you simply end up hiring someone who is untrained, and the cycle begins again.

Rather, by focusing on additional training and enforcing non-punitive policies with employees (who now already have experience with these social engineering methods), you can encourage appropriate reporting behavior in your employees. This in turn protects your company and strengthens your human firewall.

Stay Safe Online: Protect Your Business from Online Threats

Reporting Methods

Finally, we will briefly discuss the importance of easy and accessible reporting methods. One of the common barriers to identifying scams is the lack of reliable, easy to understand reporting methods. Even if your employees can identify scams, it really doesn’t benefit you unless they are both empowered to report AND know HOW to report that scam.

We have worked with clients before whose employees were great at shutting down a vast majority of our vishing team despite that team’s best efforts. This was amazing to see and really impressed us! Maybe you can guess what happened next… we asked the security team how many of our vishing training calls were reported to them. The answer? Zero. Despite a high percentage of their employees shutting down our calls, not one managed to report these suspicious calls or alert their security team to this attack scenario. This SIGNIFICANTLY increases that company’s chance of a potential malicious breach.

Does that sound familiar? If so, don’t get overwhelmed. Rather, reach out to the experts here at Social-Engineer to find out how you can implement, improve, or simplify your reporting methods.

Protect Your Business from Online Threats

Remember, with proper verification, a non-punitive security culture, and easy reporting methods, your company can improve its security posture. If you are in search of a security partner, reach out to any member of Social-Engineer to see how we can help you. Or, join our Mastermind group for monthly content and security tips!

Written by
Shelby Dacko
Team Coordinator & Human Risk Analyst, Social-Engineer, LLC

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now