Most digitally driven organizations today understand the grave potential consequences that cybercrime can bring. Whether they invest in their own in-house cybersecurity infrastructure or work with an experienced managed services provider (MSP) for streamlined, around-the-clock support, companies of all sizes appreciate that doing business online exposes them to an increasingly sophisticated array of digital threats.<\/p>\n
While organizations know they need to work closely with their MSPs to help prevent brute force attacks from gaining access to network assets, one area of cybercrime tends to get overlooked\u2014social engineering. Although businesses and their MSPs are investing more seriously in their cybersecurity infrastructure to defend network hardware and software, social engineering exploits the most vulnerable aspect of organizational cybersecurity: its people.<\/p>\n
Social engineering attacks rely on human error in order to gain access to an organization\u2019s network and wreak whatever kind of havoc cybercriminals have planned. Even if organizations and their MSPs work hand in hand in order to secure valuable hardware and protect business software, MSPs cannot constantly monitor employee activity. One wrong click on a cybercriminal\u2019s well-crafted phishing email or harpoon attack can jeopardize an entire business\u2019s IT environment.<\/p>\n
With the cost of phishing and social engineering attacks in 2019\u00a0averaging $1.4 million\u00a0per organization, MSPs need to consider how they can best defend their customers against this kind of cybercrime. From teaching employees how to spot suspicious emails to investing in sophisticated tools specifically designed to look out for social engineering, MSPs have an effective slate of strategies at their disposal when it comes to protecting partners from social engineering.<\/p>\n
Social engineering attacks are cybersecurity incidents that specifically target people instead of hardware or software. Rather than attempting to use brute force to bypass a network\u2019s existing cybersecurity defenses, cybercriminals deploying social engineering strategies attempt to prey on unsuspecting employees\u2014at every level of an organization\u2014to steal log-in credentials access otherwise off-limits areas, and hack valuable files.<\/p>\n
These kinds of attacks can take many forms, but all appeal to specific human weaknesses in order to work. They can take place online, such as over email, or in the physical world, such as at a building\u2019s security checkpoint. Some social engineering strategies even involve both worlds. For instance, a bad actor might leave corrupted flash drives in a company parking lot or lying around on office desks in the hope that an authorized employee will pick them up and accidentally download malware to their computer.<\/p>\n
Quid pro quo social engineering attacks rely on exchanging a good or service for information that a cybercriminal can use to access a private network. An employee might receive a call or email from a bad actor impersonating an external IT expert or internal tech support professional. They may press the employee to give them their\u00a0log-in information<\/a>\u00a0so they can upload a security patch, improve their computer\u2019s performance, or render some other kind of IT service. If they successfully convince an employee to provide those credentials, they can use that access to infect a computer with malware that will then spread throughout the network.<\/p>\n Other kinds of social engineering attacks abound. Baiting attacks attempt to appeal to an employee\u2019s curiosity\u2014for good or for ill. For instance, cybercriminals may attempt to bait workers into clicking on a link to download free music, or as we mentioned earlier, they may leave flash drives around that appear to store sensitive company information. Clicking on any such link or plugging that kind of flash drive into a company computer can be enough to give hackers all the access they need. Tailgating is another method of social engineering that involves unauthorized personnel following employees into areas that would otherwise be off-limits. They may appeal to their goodwill by claiming they forgot their access card, only to use that access to get onto the organization\u2019s network.<\/p>\n While these types of social engineering attacks might not be top of mind for many organizations, it\u2019s becoming increasingly common\u2014and increasingly successful. A recent report found that\u00a083% of all companies<\/a>\u00a0were the victims of phishing attacks in 2018. What\u2019s more, according to\u00a0CyberEdge,\u00a0the number of successful social engineering attacks continues to grow as the years go by. In 2014, 63% of social engineering attacks accomplished their goals. That figure rose to 71% in 2015, jumped to 76% in 2016, and hit 79% in 2017.<\/p>\n While quid pro quo, baiting, and tailgating have become prevalent in recent years, phishing might be the most well-known\u2014and the most effective type of social engineering attack. While quid pro quo and baiting attacks attempt to fool employees into providing network access either by offering a service that workers think they need or by appealing to their curiosity to take advantage of real-world trust, phishing relies on creating a false sense of urgency.<\/p>\n Phishing, which is the most relevant kind of social engineering attack today, primarily targets regular employees outside of the executive suite. Workers might receive an email, an instant message, or be directed to a particular website that has been carefully constructed to look like it\u2019s connected to a trustworthy source or reputable organization. Phishing has become increasingly sophisticated and hard to detect. Emails might include properly formatted hyperlinks, instant messages might appear to be coming from trusted personnel within an organization, and websites might have the appropriate branding and user interface.<\/p>\n However, what these forms of phishing all share is the urgency they try to create in the recipient.\u00a0Phishing messages often appear to come from banks, government agencies, or a particular department within an organization<\/b>. These attacks essentially threaten employees with some kind of blowback\u2014an account being locked, activity being reported, funds being frozen\u2014in order to get the recipient to immediately act without slowing down to use proper judgment.<\/p>\n If employees take the time to look closer, however, they\u2019ll be able to notice discrepancies that indicate common phishing techniques, as well as tip-offs that someone might be attempting to steal sensitive information. For example, hovering over email hyperlinks may reveal a different destination than the text would convey. Similarly, demands to immediately verify log-in credentials\u2014credentials that the supposed organization would not have a reason to request\u2014are a telltale sign that employees might be the target of a phishing attempt.<\/p>\n Phishing inherently casts a wide net. All it takes is one employee to fall for this kind of social engineering attack for cybercriminals to get the access they need. However, a similar type of social engineering\u2014known as harpooning or whaling\u2014takes a different approach. Rather than mass emails with the hope that at least one employee might fall for it, harpooning specifically targets executives\u2014and does so with pinpoint precision.<\/p>\n The method of delivery with harpooning is typically the same as phishing. An upper-level management professional might receive what appears to be a particularly important work-related email. Bad actors will have taken the time to make the message seem like it\u2019s coming from a legitimate entity, either within the organization or from a trusted third party. While phishing emails might run the gamut, from work-related materials to claims that employees have won a grand prize, harpooning scams attempt to draw executives\u2019 concern for top-tier problems.<\/p>\n For instance, a harpooning attack might take a particular executive\u2019s department into consideration and claim to be sharing highly sensitive materials relevant to their role. By doing so, these types of social engineering attacks aim to create the same sense of urgency in upper-level management as they do with regular employees\u2014with the shared goal of getting people to click before they take the time to carefully investigate messages for any inconsistencies.<\/p>\n If organizations haven\u2019t invested in staff security awareness training or cybersecurity tools specifically geared toward preventing successful social engineering attacks, it\u2019s critical that they do. Defending against spear-phishing is an increasingly common priority for organizations of varying sizes and diverse industries. As an MSP,\u00a0ensuring security measures<\/a>\u00a0are put in place is critical to help keep customers protected from the full range of tactics that cybercriminals will deploy.<\/p>\n To that end, MSPs should be able to provide their customers with the kind of social engineering attack prevention they need to maintain a safe IT environment. With the right\u00a0email threat intelligence software<\/a>\u2014such as\u00a0Mail Assure from SolarWinds<\/a>\u2014MSPs can monitor partner networks specifically for social engineering attacks, helping deliver anti-malware prevention and security against cybercriminals to those that need it most.<\/p>\n","protected":false},"excerpt":{"rendered":" Most digitally driven organizations today understand the grave potential consequences that cybercrime can bring. Whether they invest in their own in-house cybersecurity infrastructure or work with an experienced managed services…<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-4986","post","type-post","status-publish","format-standard","hentry","topic-security"],"acf":[],"yoast_head":"\nIs phishing a type of social engineering attack?<\/b><\/h3>\n
What are harpooning social engineering attacks?<\/b><\/h3>\n
How can organizations protect themselves against social engineering attacks?<\/b><\/h3>\n