How to Combat Social Engineering: Awareness and Strategies
Social engineering attempts are on the rise, with a heavy emphasis on phishing and smishing. As these attacks get more creative, it’s critical your full organization understands the risk they pose.
Silent Ransom Group, a cybercriminal group known for extortion with the goal of financial gain, has recently placed a target on the legal industry. The group has leveraged “call-back” phishing tactics that mimic common services then request a response via phone to resolve an issue about pending charges or urgent issues. To the recipient, this looks like a reminder from Duolingo to update their billing information to avoid a cancelled subscription. To the attacker, though, it’s the beginning of their social engineering strategy.
Once the user calls the attacker, they’re manipulated into installing remote desktop software to resolve the phony issue. This installation gives the threat actor full control of the system and the ability to exfiltrate sensitive data and exploit the victim until a ransom is paid.
There are a variety of tactics that can avoid this sort of turmoil, and security awareness remains at the center of all of them. Here are some recommendations ivision stands by for preparing your team to combat potential attacks:
- Be extra vigilant in dealing with social engineering attempts, as well as phishing (email links to malicious site) and Smishing (SMS links to malicious sites.)
- Do not answer any questions concerning your role, your personal information, etc.
- Report anything suspicious immediately. If you ever feel uneasy about an email, text, or call, forward it immediately to servicedesk@ivision.com (or use our built-in “Report Phish” button). Early reports help us block new scams before they spread.
- Report Phishing Attempts by clicking the Report Suspicious Activity in Outlook
ivision’s security solutions help set your business up for success against these kinds of attacks, whether it be through managed security or consulting services around security strategy, security assessment, infrastructure security, or data security.
