In our ever-evolving society, organisations are becoming increasingly reliant on online operations, leaving them more vulnerable to cyber threats than ever before. One of the threats becoming more prominent to organisations are social engineering attacks, such as phishing for information, vishing, spear phishing and whaling. 

One of the threats becoming more prominent to organisations are social engineering attacks, such as phishing, vishing, spear phishing and whaling. 

While these attacks vary in level of complexity, the basic premise involves impersonating someone else via email, telephone or website in order to trick someone into giving them their personal information. 

To protect yourself from such attacks, it’s important to know what to look out for.

What is a Phishing Attack?

A Phishing Attack is one of the most common attack methods users are likely to face and involve someone impersonating another of importance to gain insight and personal information for malicious gain. 

Vishing

Vishing is Phishing via a VoIP service which can involve caller ID spoofing for a phone call from a ‘reputable company’ such as Amazon, PayPal, Microsoft Support or a local supplier such as gas, electricity or even the tax office.

Importantly, many vishing attempts will also be tied to a current affair, for example around the time a national census is occurring a malicious attacker may contact a victim posing as a census official. If successful, the data the attacker may receive would be a treasure trove. 

Spear phishing (social hacking)

Spear phishing involves the attacker directly targeting a specific organisation or person within an organisation with tailored emails containing personalised information to increase their probability of a successful attack. This is called whaling when targeting CEOs or Executives controlling payments.

Commonly targeted user information in an attack:

It is much easier to access a system with authority rather than trying to break into it, for example obtaining a user’s details such as a username and password. One of the threats becoming more prominent to organisations are social engineering attacks, such as phishing for information, vishing, spear phishing and whaling. 

Most password recovery systems require the user to answer several personal questions in order to reset a password, such as ‘what is your mother’s maiden name’. Through carefully constructed questions, a good ‘phisher’ should be able to obtain answers to these questions and use this information to gain access to particular systems. All too commonly, people will use the same email address and password combination for multiple systems, allowing for a multifaceted breach.

Another way an attacker may seek to gain personal information is by using confidential company information. Harvesting details such as mergers and acquisitions, management and personnel make it easier to contact unsuspecting targets. For example “your manager ‘x’ asked me to contact you about the current merger…”.

Why are these attacks so “successful”?

Social engineering attacks have been “successful” because they invoke an emotional response in the recipient. Words such as “urgent response required” or “change your password now or your account will be closed” trigger a sense of urgency and can lower the recipient’s guard.

By masquerading as a trusted entity or person, victims may also believe they are passing over sensitive information for a legitimate reason such as to a helpdesk staff member to assist them with ‘troubleshooting or account verification’.

It’s not just about you, it’s about someone else

If you are part of a large organisation, it is not uncommon that phishing can be used casually to gain information to build a profile and possibly use some of the data to either access a system or further impersonate whaling to start sending fake invoices to the Company.

Protecting yourself against attack

We all have off days, and this is exactly what ‘phishers’ rely on for a successful attack. In order to protect yourself and your organisation, there are a few simple steps you can follow;

1.    Verify suspicious emails with a colleague or IT Professional

2.    SMS or Authenticator App-based multifactor authentication (2FA) will add a protective layer of security to your data.

3.    Keep your system’s operating system, browser and antivirus up to date. Modern Browsers will have alerts for insecure, unsafe or known malicious sites. Having a cloud-based mail filter (SEG) is highly recommended. Reputable filters will detect and quarantine many suspected phishing and impersonation emails.

4.    Type URL’s in yourself, try not to click links for important sites

5.    Beware of certain social cues and requests for example anything which is marked as “urgent” around payments or sending personal details such as passwords

6.    Verify the person on the other side of the email or phone. This one is very important, especially if you are contacted for payment or information. Confirm the caller by calling them back on a verified phone number.

For further information

If you have any questions or would like to discuss how you can protect your organisation, please get in touch with your local RSM adviser