Halloween night has arrived, so “Trick or Treat” you hear,
As witches and ghosts make their rounds, before they disappear.
Yet some terrors lurk in the shadows, waiting for their chance,
A cyber beast waiting patiently to attack your network and finance.
Beware of the cyber ghoul, throughout the whole of the year,
He’s looking out for any way in, it’s him that you should fear!
Skeletons, witches and zombies line the streets on Halloween, as children knock on doors seeking sweet treats. But the real tricksters hide in the shadows, waiting to attack at any given moment. And they reap lots of treats. Seeking financial reward or theft of sensitive data, cyber criminals use sophisticated plots and ways to access your firm. Keeping a watch out for their games must happen every minute, of every day. Online phishing attacks rose by 297 per cent in the year to Q3 2018*
Social engineering tactics, targeting and exploiting human behaviour, has become a common way for hackers to navigate an organisation’s security. Staff awareness of the tricks used for cyber-attacks is critical for protection.
Fraudsters play tricks on individuals to gain access to systems, whether through emails (phishing) or telephone calls (vishing), they convince the recipient to allow them to gain access to the company network by sharing their credentials or by clicking on malicious links which download malware.
Email inbox hijacking is one method that is becoming common. An employee clicks a link contained in a genuine-looking email and types in their credentials, unwittingly providing access to the hacker. With control over the inbox, the hacker accesses sensitive information or makes fraudulent requests from the email account to change the destination of payments – the finance director and team are key targets.
The most common cause of cyber losses are due to human error so it’s important to manage this risk as well as work on IT security. Yet, fraudsters are using more sophisticated, smarter methods and it is becoming increasingly difficult to spot the fakes, from the genuine.
The lucky ones escape cyber-attacks with minimal impact; but for many, cybercrime leads to significant data breaches, financial losses, business interruption and a dented reputation. The impact on staff can be stressful, so educating them how to deal with an attack is fundamental to protection.
Over the years, companies have learnt the hard way to take cyber security seriously. Most have robust security technology, policies and controls in place to protect against a wide array of cyber-attacks.
Yet, the use of social engineering tactics has opened up a new door. Staff education is critical to protect your organisation, so they understand the risks, how to spot potential threats or anything suspicious, be confident in reporting concerns and feel supported by the company.
Every organisation should have the mechanisms to regularly keep staff aware and trained on the latest scams, how to detect them, and how to deal with them quickly. While you can never avoid tricksters calling at your door, with a little effort you can reduce the number that manage to find their way there in the first place.
Here are some tips that may help you mitigate against some of the common social engineering scams that we come across.
Encourage employees to question emails – were they expecting it, and is it normal behaviour from that organisation? Inspect the sender email to ensure it looks genuine and seek verification – use an email or telephone on file to confirm the authenticity.
Advise staff to not click links until they have hovered over the link to view the domain address – this should always be recognisable. Deter from clicking if they have any doubts.
Train employees to be suspicious of calls and not be afraid to say ‘no’. If unsure about providing information, call them back after the caller has been validated internally. Call them back on a number published on their website.
If someone receives a suspicious call, have the mechanisms to report incidents internally and actively promote this practice.
Remember, if you encounter anything that seems strange or out of the ordinary, reconsider your response and don’t be afraid to step away from the situation to alert the relevant people per your organisation’s policies and guidelines. Encourage employees to do the same. QBE have put together a broad range of risk management guidance and tools to support clients mitigate against fraud and cyber and these are available on QBE’s Cyber Risk Management Portal, alongside current cyber news, resources, training, and much more.
While the tricksters will keep on trying to get through the door, firms must do all they can to stop handing out the candy. If you and your staff are not aware of the game, you can’t keep out the cyber ghouls.
QBE’s Cyber Policy enables organisations to access a broad range of risk management tools, resources and services to mitigate against cybercrime and fraud.
So what will you choose…. Trick or Treat?
* Q3 2017 to Q3 2018: The Retail and eCommerce Threat Landscape Report (October 2018)