Hackers are using increasingly sophisticated techniques to siphon money out of businesses, but most cybercrimes still hinge on a company’s weakest link: its employees.
Malicious attacks on businesses increasingly involve social engineering, with hackers impersonating senior management to direct unauthorized payments to their own bank accounts. The cost of these attacks, along with others such as phishing or malware, is on the rise.
Ramping up investment to strengthen systems and educating staff to tighten up security are vital for companies to fend off costly attacks and stay in business.
When an email from the CEO lands in their inbox, many employees will drop everything to respond as quickly as possible. But what happens if a request from the boss asking an employee to urgently process a hefty payment is actually fake?
It’s this type of social engineering or impersonation attack that is catching employees off guard.
As with most cybercrimes, hackers first need access to a company’s systems. Poorly protected virtual private networks with single-step authentication and browser-based webmail accounts are often the weak spots hackers target.
Hackers may use tactics such as automated “password sprays,” which generate endless commonly used password options in the hope one eventually works, or “credential stuffing,” a process by which hackers use details stolen from other accounts to see if the usernames and passwords are the same. Another tactic is the setup of a lookalike email domain and account, counting on the victim not reading the “from address” closely.
Social engineering attacks often play on personal relationships and exploit the willingness of people to help out in an emergency situation. Once a hacker is ready to strike, they may start sending out emails to employees asking for small requests, covering their tracks by deleting sent messages and replies.
In one common scenario, the “CEO” says they’re scheduled to go to a major conference and want a batch of gift cards from a major online retailer to give away to clients at the event. Could the employee buy them, scratch off the silver foil and send the CEO the individual card numbers?
Other social engineering attacks simply rely on rudimentary impersonations. Hackers often set up dummy company websites and email accounts that at first glance look like the real deal.
The chances of success are lower, but emails sent from fake sites and addresses requesting money continue to fool many people who don’t take time to carefully check their origins.
In reality, few companies have sufficient protection from hackers bringing costly cyberattacks that could even force them out of business. Companies should see investing in cybersecurity technology to adequately protect their systems like a form of insurance to protect against loss. By ensuring that staff tighten security and learn to recognize the signs of potential attacks, companies can turn their weakest link into a formidable strength.
Learn how to protect your company at the April edition of Coffee Break,
Submitted by: Tom Wojcinski, director for risk advisory services, Wipfli LLP, wojcinski@wipfli.com