Why Employees Are Your Most Vulnerable Asset: Social Engineering Explained

By Dolly Krishnaswamy

Posted on Nov 3, 2016

 Verizon’s 2016 Data Breach Investigations Report marked Social Engineering attacks as the 3rd highest threat action, behind hacking and malware. Those attacks have been rising over the years due to the relative ease of execution and lack of technical knowledge needed.

Social Engineering, unlike common hacking methods such as brute-forcing, cross-site scripting, or keylogging, instead uses a variety of psychological, informational, and behavioral techniques in order to access an organization’s information by exploiting a company’s weakest link - its employees. It’s also the underlying technique used to implement some of the most common methods of attack such as phishing and ransomware. The method of attack is one of the reasons why employee security awareness training is necessary.

To learn more about Social Engineering and which industries are most susceptible to social engineering attacks, check out the infographic below where we analyzed the Social Engineering scores of over 100,000 organizations across 18 industries in June and October 2016.

Warning signs of phishing sites

Uncommon or suspicious URL strings

    • Check the URL address in the web address bar. Sometimes the brand is misspelled, has extra characters after ‘.com’, or has a different country extension (.ru instead of .com) which can be a sign of an illegitimate site.

Strange spelling, grammar, and capitalization

    • Non-English speaking hackers may be using translation services to create copy designed to steal your credentials. While mistakes can sometimes occur in legitimate website due to oversight, consistently bad grammar or incorrect spelling combined with a suspicious URL is a dead giveaway of a phishing site.

Strange branding/messaging

    • Hackers sometimes alter a brand’s copy or messaging in order to obtain the required information from you. Look for subtle changes or odd requests in the site’s copy along with suspicious URLs.

Tips for avoiding phishing attacks

    1. Never provide credentials to anyone, online or on the phone.
    2. Double check file extensions. If a ‘PDF’ ends in .exe, it’s likely malware
    3. Be vigilant in verifying website authenticity. Is the URL correct?
    4. Double check and verify that emails are coming from the right person. Titles and positions can be fabricated. Titles, positions, and even email headers can be fabricated with an out-of-band communication method, such as a direct phone call or in-person communication.
    5. Implement a ‘least-privileged’ policy, ensuring only essential credentials are known for employees to perform their duties

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!