Even if your organization has top-notch patch management and firewalls in place, cyber criminals can still pose a threat to your company. For many companies, the most vulnerable spot inviting IT security threats is your employees.
Human error can lead to mistakes, including small IT security mishaps that can have dire consequences. Cyber criminals take advantage of our human flaws. They will use persuasive tactics to trick your employees to give up valuable information or click on a link containing malware.
If cyber criminals succeed, they may be able to steal, alter, or wipe out your company data.
Here are 3 social engineering threats designed to trick your employees
1. CEO Fraud or Business Email Compromise (BEC)
In this scenario, cyber criminals hijack or mimic the email account of the CEO. They use the email to send messages to a financial controller or other people responsible for finances. The cyber criminal might request the controller transfer money to “so-and-so” vendor or supplier. But they’re actually wiring money to the cyber criminal’s bank account.
Cyber criminals have 2 methods of disguising their email as a CEO:
- They phish the CEO’s email and gain access to his/her account
- They set up a look-a-like domain that’s a letter or two off from the real account
Business Email Compromise is common with businesses that perform many foreign wire transfers. The perceived level of authority makes BEC different from other phishing schemes. The fraudulent emails are always from the CEO and usually target the CFO or someone with similar financial authority.
CFOs and the accounting department can avoid this scam by being attentive to wire transfer requests larger than normal and typographic errors in the email. But the best way to verify the email’s authenticity is by asking the sender in person.
Wire fraud: an urgent form of BEC
Wire fraud is a financial scheme where the criminal poses as an authority (like the CEO) and urgently demands an immediate wire transfer to an outside account. Typically, the cyber criminal behind the scam will direct the employee to bypass standard wire transfer protocols or second approvers, using language such as:
- “By EOD”
- “Within 24 hours”
CEO fraud & wire fraud are forms of spear phishing
Spear Phishing is when a cyber criminal impersonates a CEO or trusted source and targets specific employees to get money or sensitive information. The criminal asks for your account information or a money transfer that deposits into the scammer’s bank account. While spear phishing schemes are designed to be convincing, the emails often have giveaways, such as:
- Demanding or unprofessional language
- Spelling or grammatical errors
- Email errors (signature doesn’t match sender email, etc.)
Spear phishing has become more dangerous and prevalent in recent years. It’s crucial SMBs train employees to know the signs of spear phishing emails. Companies should also enforce safety procedures for wire transfers, password updates, and exchanges of sensitive information.
2. W-2 email phishing scams
W-2 social engineering scams (another type of spear phishing) target employee tax records. The cyber criminal will request information from an employee’s W-2, disguised as a person of authority with control over your financial information. They could take any of the following roles:
- Tax advisor
The W-2 schemes not only target specific employees, but they aim to take employee information and claim their tax refunds. An IRS investigation for W-2 social engineering usually takes at least 6 months. If the IRS fails to recover your refund, fortunately for you, they will pay it out of pocket.
The W-2 social engineering scheme is unique to other spear phishing attempts because it peaks during tax season and targets people who have yet to collect their refund. Make sure you verify any emails requesting personal and financial information from your W-2 with the sender.
3. Phishing schemes for social media or e-commerce accounts
General phishing schemes usually send messages less sophisticated than spear phishing. But cyber criminals will still pose as legitimate contacts, like Facebook, LinkedIn, or Amazon.
The email will try to draw you in with a notification about your personal logins for social media profiles or online vendors, usually insisting you click a link. Clicking the link exposes your login credentials to cyber criminals. Examples of notifications in these phishing schemes might look like:
- “You’ve won a FREE Amazon Prime membership.”
- “You’ve been tagged in a new photo on Facebook.”
- “Click this link to confirm changes to your Linkedin profile.”
As soon as the attacker steals your credentials for one website, they can use the same credentials to log into other accounts. If you use the same password across many websites, the hacker will have a high chance of accessing more than social media or e-commerce accounts. They could hack into alternate email accounts and online banking portals to name a few.
Managed IT security services can educate your employees on social engineering tricks
The best defense against social engineering schemes is training your employees on how to identify them. Create protocols on what to do in response to W-2 spear phishing attacks, company-wide spam stealing the identity of the CEO, and so on.
The expertise needed to set up IT security protocols can be hard to come by. Many SMB’s lean on managed IT service providers to set up procedures and help HR train employees. Work with a trusted managed services provider that will help you identify and protect your company from social engineering schemes.