Recent research from security rating firm BitSight showed that malware attacks have tripled since the global health crisis forced companies to work from home. According to the report, home office networks are 3.5 times more likely than corporate networks to be infected by malware.
Many of these attacks rely on social engineering tactics designed to play on users’ fears about COVID-19. Researchers believe that a cybercrime group Ancient Tortoise was the first to use coronavirus-themed scams to convince potential victims to send payments to attacker-controlled accounts. Many other similar attacks have followed. Some simply seek monetary gain while others are designed to gain access to sensitive business information.
Below you will find five common types of social engineering tactics in use today. Share them with your clients to increase awareness among end-users.
- Phishing: Phishing is the leading form of social engineering attack. Phishing attacks are typically delivered in the form of an email, chat, web ad, or website that has been designed to impersonate a real person or organization. Phishing messages are crafted to deliver a sense of urgency or fear.
- Baiting: Baiting, similar to phishing, involves offering something enticing to an end-user, in exchange for login information or private data. The “bait” may be monetary or free goods of some kind.
- Quid Pro Quo: Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end-user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials.
- Pretexting: Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end-user by impersonating a co-worker or authority figure well known to an end-user.
- Social Media Deception: Criminals pose as a current or former co-worker, job recruiter, or someone with a shared interest on social media, especially LinkedIn.
Ongoing security education goes a long way to protect your clients against social engineering attacks. However, education is obviously just one part of a comprehensive security strategy. Putting the right technology in place is also essential. To learn more about key security technologies, check out this recent post from Datto CISO Ryan Weeks.