The hacker sends a text message that looks like it is coming from a supervisor or co-worker.
The link in this message contains malicious code that, when clicked on, is immediately downloaded to the employee’s device. If the right protections are not in place, it can spread throughout your entire network.
How easy is it for hackers to pull off this type of social engineering?
I sent this message using a Spoofing tool. The tool enabled me to change my phone number and contact name to that of Karen Witkowski (our new marketing manager at SensCy). I then went to LinkedIn and downloaded a photo of Karen. I uploaded that image to the Spoofing tool and what you see is the result. When people change jobs, they announce it on LinkedIn. Hackers view this information as an opportunity to trick your employee into making a mistake.
According to a recent report in Forbes, employees of small businesses with less than 100 employees will experience 350% more social engineering attacks than employees of larger enterprises. Why is this happening so frequently? Hackers have realized that small business employees are less prepared to deal with these situations due to a lack of consistent training on how to identify social engineering.
There are a few clues in the above message that, with the proper training, employees will recognize:
- First, there are two errors in the text. Karen is spelled incorrectly and the phrase “as you request” should be “at your request” or “as you requested.” Foreign actors are often behind these types of attacks and being non-native speakers of English, they regularly make these types of mistakes.
- The link appears to be a Dropbox link. SensCy does not use Dropbox in our day-to-day business.
- If you look closely at the link, there is an extra “p.” The correctly spelled link would be dropbox.com.
Recognizing these cyberattack attempts requires that you commit to a persistent training program. Employees can become very adept at identifying these fraudulent attempts with practice. Studies have demonstrated that we humans become experts through repetition. SensCy recommends a cybersecurity training program that involves 10 to 15-minute lessons every other month.
It’s important to remember that these attacks are targeting your best employees—the ones who are trustworthy and want to help their teammates. By committing to a cybersecurity education program, you can protect your greatest asset (your employees), safeguard your business and sleep better at night knowing you are creating a front-line defense against cyber criminals.