16Chris Zachar—Senior Consultant • 6/7/20
Most organizations understand the widespread threat of phishing emails and have incorporated security measures as part of the cost of doing business. However, many companies don’t realize that the threat of social engineering reaches beyond the common email attack. Users who are unfamiliar with the growing threats of vishing (voice/telephone phishing), smishing (SMS/Text), and portable device drops are less likely to recognize an attack and more likely to release sensitive data to the wild.
Vishing can be performed as an automated or personalized call. Using common scenarios, such as impersonating an internal department, social engineers can obtain information that workers might not normally release outside of the immediate nature of a phone call. Requested items could include confirmation of the worker’s name and department, email address, employee ID, date of birth, social security number, customer or vendor information, and any other data that could be used to access the network, download malware, or build a larger scaled intrusion.
Smishing has grown with the use of mobile devices in the business world. Users are commonly connected to work 24/7, often with personal devices, and may be less alert to smishing attempts sent during non-business hours. Data breaches from smishing can include downloads of contact lists, malware loads on the device and corporate servers, and keystroke loggers. Links in smishing messages are particularly dangerous because users cannot hover over them to determine where they actually lead.
While not as widespread, portable media drops are an effective method of accessing a network. In this type of scam, USBs, flash drives, CDs or DVDs are deposited where the casual or targeted type of user might pick them up. Curiosity plays a large part in this type of attack – unsuspecting users may insert the device into a machine to view the data. Malware can effectively be loaded into a corporate network or phone-home technology can be utilized to access sensitive information. In one study, researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan, spread 297 USB drives around the Urbana-Champaign campus. They found that 48 percent of the drives were picked up and plugged into a computer, some within minutes of being dropped.
How can you protect your organization from these attack vectors? Determination of your risk factors and education are key. Test your organization to identify your highest risk areas and train users about the various threats. The use of risk-based surveys can help you understand your employee’s attitudes toward security and address shortcomings. Utilize “tone from the top” communications – messaging from senior management that security is important to your organization.
PhishLine offers a variety of solutions and training to address the various attack vectors. Contact usto learn how we can help secure your organization from malicious actors and their growing arsenal of attacks.