When we think of hackers, we picture shadowy techies working in darkened rooms. They use their advanced digital tools to find holes in data security systems, gain entry into environments, and steal anything they please.
Yes. That’s all true, and those kinds of attacks certainly happen. However, for many environments, the biggest hole in the network is not some glitch in the code. It’s the human beings working at the business. They can be tricked into providing sensitive data or transporting malware into the business network. We are the hole, and hackers use sophisticated methods to manipulate our good-will and trusting nature to either infect our systems or steal personal information.
Their methods are diverse, but the first step to stopping them is awareness. These scams are only successful, because we fail to recognize them in the moment. If we can learn their methods, we can stop them in the act.
In this two part blog series, we’ll first address many of the most prominent strategies these hackers employ. Then in the second phase, we’ll talk about the best methods for training your team to spot these attacks and ramp up your defenses.
Every One Is Vulnerable, Everyone Is Attacked
There is no escape from these attacks. Everyone is targeted by them at some point or another, and most people, if you ask them, will have a story about being sent some form of phishing attack. According to the 2017 Internet Security Threat Report by Symantec, every 1 in 131 emails sent in 2016 contained some form of malware.
Social Engineering Strategies
Social engineering hacking strategies are known as “phishing” or alternatively “spear phishing” if a specific individual is the target. They are described as such, because it requires the fish to take the bait. The hacker can only lay out their lure and hope something bites. Though a phishing attack is commonly an email, it can take multiple forms.
The Phishing Email
The Phishing Email is an email that by all appearances looks like a legitimate message from a legitimate contact. It may be well-written, coherent, and fits in the context of the conversation. A good phishing email will not look abnormal in the slightest but contains attachments or links designed to corrupt and infiltrate the network.
The deviousness of the phishing email is how realistic it can look. These hackers will go to great lengths to craft a convincing message. A phishing email might contain the following information in an attempt to fool its readers:
- The names of the recipient’s friends, family, or coworkers gathered from social media sites.
- Legitimately branded material. The content may mimic the design style of the company.
- A concern, complaint, or crisis that fits the context of the communication. For example, in the contact center, an agent might receive a product complaint with supposedly attached photos of the defect.
Phishing Email Prevention Strategies
Though a phishing email may look compelling, there are strategies you can use to sort out the legitimacy of an email.
- Hover, Don’t Click: Hover the mouse over any links in the email and wait for the preview to pop up. This preview will display the linked address. If an email from your customer is trying to direct you to a web address outside the country or to a peculiar URL, this may be a phishing scam. When in doubt, it is best not to click the link.
- Paste into Word: It’s possible the URL will not display when hovering. Paste the link text into a Word document and inspect it there.
- Use Company Records: If someone is submitting a complaint regarding your company’s products or services, attempt to verify the sender’s identity using company records. If you find the account, call them to continue the conversation over the phone.
Social Engineering: Phone Call Phishing Strategies
One of the primary reasons phishing attacks are successful is that people are trusting in nature, and professionally, they are required to help and respond to requests. Those same vulnerabilities lend themselves to attacks over the phone as well, sometimes called social engineering. These attackers simply masquerade as a distraught customer to dupe a customer service professional or other employee.
- Customer Service Call: This attack begins with a call to the customer service department. Once connected, the attacker will explain that they can’t remember their password, email, or other login information. From there, they ask for help from the customer service professional. It works, because the employee on the phone is there to help. That’s their job. It is also important not to underestimate the level of planning that can go into an attack like this. They may call several times over weeks or use a mixture of email and phone calls. The goal is to build a rapport with the contact center agent, so that they relinquish sensitive information willingly.
- Direct Line: Alternatively, an attacker may call a specific person in the company to learn information about their spear phishing target. They may pose as a third party client or a friend of the individual and ask a few basic information questions. From there, they can use that information to better target their spear phishing attack.
Phone Call Prevention Strategies
The key to stopping this type of scam is to verify the identity of the person on the other end of the phone, but that can be more difficult than it sounds. Security questions are not as ironclad as we may assume. With the availability of social media, a savvy hacker can learn someone’s hometown, first pet, best friend’s middle name, and so on. Therefore, you must train your team to never divulge account passwords over the phone and consider acquiring security software that will analyze and verify voice patterns.
Misplaced Flash Drive
Beyond email and phone-based attacks, there are other ways to trick an employee into breaching their own network. This last strategy involves a hacker actually showing up to the office with the goal of planting a flash drive filled with their malware somewhere on the premises. Their hope is that someone will unwittingly plug that flash drive into a networked device. Once plugged in, the malware is left to wreak havoc on the network.
The attacker may arrive in a company uniform or branded attire, gain entry, and strategically leave a flash drive near someone’s work station. Alternatively, they may join a public tour of the office or facility. In either case, the flash drive will be planted, and the trap will be set.
Flash Drive Prevention Strategy
The solution is simple. If you don’t know who the flash drive belongs to, do not plug it into your computer. Ask around the office or nearby coworkers if it belongs to anyone, and if not, place it in a company lost and found or with Human Resources. If the files inside are important, someone will come back looking for it.
Other Prevention Strategies
In addition to the targeted prevention strategies above, there are several best practices you can do in your company to raise awareness of the threat posed by phishing attacks.
- Distribute Suspicious Call Recordings or Emails: Immediately following a suspicious call or email, distribute the call recording or email among your team members. Ask them to pay attention to the ways that the caller attempted to or successfully manipulated the contact/call center agent. Alternatively, assign a single agent to be responsible for receiving these recordings, and ask this agent to analyze the call for a short presentation to the rest of the team.
- Assess Your Assets: Take inventory of what types of personal information you have access to and what information someone else may want to steal. Knowing what your adversary is after makes it far easier to recognize a malicious attempt.
- Write a Policy for Relaying Personal Information: Privacy and personal information policies help direct the behavior of your agents and serve to thwart phishing attempts, so long as everyone follows the policy. In addition, it can also assist the agent during the phishing attempt. When dealing with a pleading customer over the phone or through email, the contact/call center agent needs ammunition on their side to deflect requests. A policy provides that.
Training Your Team
Prevention strategies are only helpful if your team puts them into use, but like any other technology adoption, change can come slowly. In the next article in this series, we’ll look at the best ways to train your team, make these lessons stick, and prepare your workforce to repel phishing attacks of all kinds.
For Further Reading: