As we begin a new year, it is always good to reflect on the events of the past few months, and take into consideration what your company may be facing in terms of security challenges over the next year. Some things change by the year, or by the month… or even by the week (Blockchain, anyone?). Other things persist and grow, becoming bigger and bigger issues over time. One of these persistent issues is social engineering, and the use of social engineering for the propagation of malware.
Social engineering is defined as the manipulation of people into accessing dangerous materials (such as malware), divulging private information (such as passwords or company data), or otherwise providing a foothold for malicious cyber attackers to bring harm to a business. This is normally done through phone calls or emails, but comes in other forms like malicious hardware (flash drives, disks, or even phones). However, email still continues to be the most popular platform to launch an attack.
Social engineering attacks have existed in one form or another since the dawn of communication technology—and it continues to pose one of the highest risks to information security for businesses of all shapes and sizes across industries. This is why it is so crucial for companies to invest in social engineering awareness training for their employees.
Don’t Let Social Engineering Attacks Ruin Your 2018
2017 has been a banner year for social engineering attacks and the malware that depends on them to spread. Email scams—which are cheap, quick, and easy to customize—are a large part of the problem. It is simple for an attacker to produce a phishing email that looks convincingly like it’s from a trusted source, coaxing a targeted user into clicking links, downloading files, or divulging private information. It’s also difficult to trace such attacks, and equally difficult to prevent them without proper user education. In the worst-case scenarios, these slip-ups can lead to the propagation of malware on the network.
Learning from Recent Scams
Lots of big-name malware incidents have occurred in 2017. While the Wannacry incident was the most notorious, shutting down businesses around the world and causing an estimated $4 billion in losses globally, this was not the only vicious malware that was initially and/or largely propagated through social engineering. Other large-scale malware attacks using social engineering this year include Nemucod, Locky, CrySis, and more.
It was recently announced the Necurs botnet, the world’s largest spam botnet (an aggregation of “zombified” machines, set to perform a specific task), has been distributing the Scarab ransomware via email scams. Scarab is a specialized ransomware malware first seen in June 2017. Over the Thanksgiving holiday, Necurs was able to send over 12 million emails in just a few hours. Scarab is now spreading at an incredible rate, thanks to users falling for these email scams and enabling the ransomware to propagate.
Decrease Your Risk with Social Engineering Awareness Training
Social engineering is serious, and continues to grow in severity every year. As a 2018 goal, companies need to up their vigilance. But how can you make sure your staff, clients, etc. are aware of the risks and don’t allow these threats to spread?
Online security awareness training, customized to fit your specific needs, can turn your staff from your biggest social engineering liability to your strongest protection. To talk with a security expert on how our social engineering awareness training program can help keep your business safe from social engineering attacks and malware/ransomware threats, contact Pivot Point Security.
Phishing emails are tricky. Based on our Cyber Security Awareness Taining material, the 10 Tips for Detecting Phishing Emails infographic provides a cheatsheet of what to look for in unfamiliar emails.