Would your employees recognize a phishing email if they saw one? Social engineering, or the act of attacking the human element of information security, poses a significant risk to businesses. With the level of sophistication of cyberthreats increasing by the day, many organizations can greatly improve the steps they take to defend against these types of attacks.
Cybercriminals have long used phishing and other social engineering methods to trick their victims into providing access to confidential data, such as passwords, Social Security numbers or account numbers. But those techniques are growing in sophistication, according to Verizon’s 2015 Data Breach Investigation Report.
In addition to the tried-and-true method of sending legitimate-looking emails to unsuspecting victims, cybercriminals are now using social media and other popular platforms to launch their attacks. With many of these phishing schemes targeting employees, business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers.
While your business may invest heavily in its information security infrastructure, such as firewalls and antivirus software, these measures may not be adequate for mitigating the risk of social engineering attacks. If you want to protect your company from cyberthreats, do not underestimate the importance of the human factor.
Phishing attacks on the rise
Phishing attacks have been a factor in more than two-thirds of cyber-espionage incidents for the past three years, according to the Verizon report. Phishing is one of the most common and efficient (less time, less complexity and low cost) social engineering methods used by cybercriminals.
The Verizon study noted that more than 23% of recipients open phishing emails at some point, and 11% open the attachments — an unsettling number, especially for businesses with hundreds or thousands of employees.
And phishing is on the rise, according to APWG, a nonprofit organization founded in 2003 as the Anti-Phishing Working Group. APWG tracks worldwide information about phishing attacks. More than 197,252 unique phishing reports were submitted to APWG during the fourth quarter of 2014, the latest time period for which data is available. This was an 18% increase from the prior quarter.
Examples of social engineering attacks
Spearphishing is a specific type of phishing attack in which the attacker uses a fake email address to deceive an individual in an attempt to gain unauthorized access to personal information. This is a highly targeted operation in which the hacker has at least some information that he can use to make himself seem familiar to the intended victim.
Social networks are increasingly being used to perform spearphishing attacks. Cybercriminals can also use crawling sites to gather information from social media. And some are even using Google Drive to stage phishing attacks.
Sign up for CIO Asia eNewsletters.