May 19, 2020
Education Key To Thwart COVID-19 Social Engineering Scams
Recent research from security rating firm BitSight showed that malware attacks have tripled since the global health crisis forced companies to work from home. According to the report, home office networks are 3.5 times more likely than corporate networks to be infected by malware.
Many of these attacks rely on social engineering tactics designed to play on users’ fears about COVID-19. Researchers believe that a cybercrime group Ancient Tortoise were the first to use coronavirus-themed scams to convince potential victims to send payments to attacker-controlled accounts. Many other similar attacks have followed. Some simply seek monetary gain while others are designed to gain access to sensitive business information.
Below you will find five common types of social engineering tactics in use today. Share them with your clients to increase awareness among end users.
- Phishing: Phishing is the leading form of social engineering attack. Phishing attacks are typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real person or organization. Phishing messages are crafted to deliver a sense of urgency or fear.
- Baiting: Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” may be monetary or free goods of some kind.
- Quid Pro Quo: Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials.
- Pretexting: Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or authority figure well known to an end user.
- Social Media Deception: Criminals pose as a current or former co-worker, job recruiter, or someone with a shared interest on social media, especially LinkedIn.
Ongoing security education goes a long way to protect your clients against social engineering attacks. However, education is obviously just one part of a comprehensive security strategy. Putting the right technology in place is also essential. To learn more about key security technologies, check out this recent post from Datto CISO Ryan Weeks.