Cyber Threats 2015: Socially Engineered Attacks

Cyber Threats 2015: Socially Engineered Attacks

Cyber Threats 2015 Series

Cybersecurity has been a huge topic over the past year for investment management companies of all types- and for good reason. Cyber threats are on the rise, coming in the form of breaches attempting to steal firms’ private data. As a result, there has been a focus on education and prevention. But what are these cyber threats, and how does a firm know what to look for? One of the most relevant cyber threats to firms today is the socially engineered threat. These cyber threats can encompass a wide variety of attack strategies that rely on manipulating the victimized organization into providing critical information. These tricks can come cyber threatsin the form of an email, phone call or other notification, and often times the hacker will present themselves as a computer technician or other reliable source to gain entry. Upon contact with an organization, the criminal will request critical information, such as passwords or bank login information, to supposedly fix or verify an issue. Many times, the firm being attacked will not realize the threat until they have already divulged the vital information, making it essential to be aware of the signs of a threat before falling prey to one.

Phishing: In the case of phishing attacks, which are one of the most common types of socially engineered threats, the criminal will send an email appearing to be from legitimate company, and request specific information to be verified. Examples of information requested can be bank passwords, wire transfer information or network logins. The emails will typically be very convincing, and contain company logos and other factually correct content. Sometimes, criminals will also utilize the phone as a means of obtaining information through phishing. Learn more about phishing here.

Shoulder Surfing and Tailgating: There are even simpler and less noticeable ways that attackers glean personal information from employees, including shoulder surfing and tailgating. Shoulder surfing involves the attacker gaining information by looking over the victim’s shoulder, as the term implies, and by making a note of private information. This type of hacking often takes place in public areas, including public transportation and libraries. In the case of tailgating, an attacker will trail behind their victim when entering the victim’s place of work, and ask for them to hold the door or simply follow them inside before it closes. Once inside the building, the attacker can post false fliers such as ones stating that the IT service desk number has changed.

Baiting: Baiting is another socially engineered threat organizations need to be aware of, and plays off of victims’ curiosity. In baiting attacks, the cyber criminal will leave an infected device, such as a USB key, lying around and waiting for a curious employee to pick it up and plug it into their computer. Once this occurs, the criminal is able to gain access to critical systems and information. One of the ways that criminals are able to successfully implement a baiting approach is by first using the tailgating method.

Despite the risks, there are several proactive methods that firms can put in place in order to ward off attackers and protect their data. Stay tuned for a future post on cybersecurity planning.