Employees play a crucial role in preventing data breaches, as they are the last line of defense between a cyber attacker and your network. Unfortunately, employees are often the weakest link in a company’s cybersecurity. However, with a proper security awareness training program, organizations can help their employees become a human firewall that helps protect your company from cybersecurity attacks.
Many users are still unaware of the dangers of the internet and are vulnerable to getting tricked by social engineering into clicking on a malicious link or opening an email attachment in a phishing scam. Employees sometimes have a false sense of security and believe that their company’s cybersecurity measures like anti-virus or firewalls will protect them from malicious links or downloads. On average, it is estimated that 7-10% of phishing attacks make it past email filters, and into the inboxes of employees.
In order to create a security culture and improve the cybersecurity resilience of employees, organizations have to train everyone from the CEO to the intern, including onboarding every new employee with security awareness training. Security awareness training should be ongoing and adaptable in order to maintain a level of vigilance across all employees. This blog will delve into the seven most common types of social engineering threats and how an effective security awareness training program can help mitigate them.
Many social engineering attempts revolve around getting a potential victim to download and/or open a dangerous file attachment, such as an EXE, DOC or HTML file. For example, the bad actor may pose as human resources asking for employees to read a new policy in a DOC file, or they could pose as accounting sending out a file about a surprise bonus. Many employees may not take the time to analyze whether the email was from a legitimate source, and just open the document without suspicion. With proper security training, you can teach employees to be skeptical about unexpected emails, especially with attachments.
Before opening any attachments they need to double check that the email is from someone within the company. If they’re not sure, they can call the HR department or accounting and check with them. Some of the most common successful spear phishing attacks are ones that impersonate employees at the company.
Many social engineering attempts contain malicious URLs masquerading as a trusted link from a particular vendor or trusted source. While many security tools can and will block these rogue links, it is possible for some to slip through the cracks. Employees must be trained to hover a link in an email and analyze it before clicking. Below are some guidelines for determining whether a link is suspicious:
If the answer is yes to these questions, employees should be suspicious of the link and avoid clicking.
Removable media is the portable storage medium that allows users to copy data to the device and then remove it from the device to another and vice versa. Some examples of removable media include USB sticks, SD cards, CDs and smartphones. A common social engineering attack would be to leave USB devices containing malware for end-users to find when they plug this into their device. Security awareness training teaches employees how to prevent the risks from lost or stolen removable devices, and to avoid using any suspicious removable devices.
Another common type of phishing attack is search engine phishing, where attackers create fake websites optimized for search engines, aiming to appear in search results for popular queries. When users click on these results, they may be directed to phishing sites.
Security awareness training helps teach employees how to analyze whether a website is legitimate. Some ways to identify whether a website search result is suspicious include checking the URL for spelling mistakes, checking whether the brand exists, checking whether the domain is imitating a well-known domain with slight variations, and checking whether it is a paid advertisement or if the offerings seem too good to be true. When in doubt, using known and familiar websites is safer than clicking an unfamiliar link.
Some employees who need to work remotely, traveling on trains and working on the move may need extra training in understanding how to safely use public Wi-Fi services. Fake public Wi-Fi networks, often posing in coffee shops as free Wi-Fi, can leave end-users vulnerable to entering information into non-secure public servers.
Educating employees on the safe use of public Wi-Fi and the common signs to spot a potential scam will increase the companies awareness and minimize risk. Before connecting to a free Wi-Fi network, employees should check if there are official signs displaying free Wi-Fi access or if the staff in the location can confirm the Wi-Fi network name. When in doubt, it is good to exercise caution by turning off sharing, using a VPN, and forgetting the network immediately after use.
QR code phishing is an increasingly popular social engineering tactic where attackers use QR codes to trick individuals into visiting malicious websites or downloading malicious content. This type of phishing leverages the increasing popularity of QR codes for quick and convenient information access.
Attackers may place QR codes on physical objects, such as posters, flyers, or product packaging, or in digital formats like email messages or websites. The goal is to entice users to scan the QR code, leading them to a phishing website designed to steal sensitive information or distribute malware.
Security awareness training teaches employees to be skeptical of scanning QR codes without first verifying the source, checking the URL, and inspecting the content. If anything seems suspicious, using a QR scanning app with built in security features can help prevent some of the risk of scanning an unknown QR code.
SMS phishing (or smishing) and voice phishing (or vishing) are both types of phishing attacks done over the phone. Smishing is when scammers send phishing messages via SMS (text messages) to trick individuals into clicking on malicious links or providing sensitive information. Similarly, in vishing attacks, scammers use phone calls to trick individuals into providing personal information or financial details.
In both vishing and smishing attacks, malicious actors might pose as a bank representative, government official, or another trusted entity or organization to try and gain personal information such as social insurance numbers, bank numbers, or other credentials. Security awareness training helps employees learn to be skeptical of unknown calls and texts, and how to analyze any suspicious text messages or phone calls before clicking links or giving information.
Ultimately, it is impossible to prevent human error 100% of the time, but an effective and robust security awareness program can reduce the risk of employees falling for social engineering threats by a significant amount. A security awareness training program with frequent and ongoing training, simulated phishing attacks to test employees vigilance, and custom content created to target the areas of risk within an organization can transform employees from the weakest links in cybersecurity to the last line of defense.