As the cybercrime landscape continues to change, business email compromise (BEC), commonly known as CEO fraud, tops the list of spear phishing attacks on businesses. And although ransomware has plagued us for over a decade, large and small companies alike still fall prey to its extortive tactics.
Unlike the remedies of the past, the solution is not simply better antivirus software or a stronger firewall. As the attacks become more sophisticated, a multilayered defense strategy is needed to address all threat vectors. The most challenging of all threats is not technological, however. It’s social engineering. Technology can fight technology. Technology can’t fight vulnerable human emotions. And that’s what social engineering threats exploit.
Social engineering schemes rely on emotions like fear to compel us to act quickly in ways we would not normally act if given enough time to reason through the situation. Most schemes rely on fear, curiosity, greed or a combination of those.
“Your bank account password was compromised,” was the subject of the email. You hastily click the link to change your password, not noticing that the site it took you to is not your bank’s.
“I need you to wire money to our business partner immediately or this deal will fall through,” said the email from your CEO. You don’t want to be the one who loses that deal. You send the money, never verifying that the email was actually sent by the CEO.
The label on the USB thumb drive you found in the restroom said, “Employee Salaries.” You were compelled to check it out, never wondering why someone would put employee salaries on a thumb drive, and then label it.
“Click here to listen to your voicemail.” You click, even though you don’t have a service that sends voicemail through email.
These are all real cases.
What You Can Do
There is no technology that can change behavior. The only true defense is behavioral modification. A well-designed training program will condition employees to pause before reacting, look for oddities in the request and take more prudent action. Yes, I said condition, not teach.
The training must be an ongoing program. A 30-minute class every six months won’t do it. A two-minute weekly or biweekly video, sound clip or demonstration will be far more effective in reducing the likelihood of a cyberattack. If these sessions are short, engaging and fun your employees may even welcome the break.
The key is to use material that shows them how to spot the common schemes used in social engineering attacks. Through repetition over time they will more instinctively recognize phishing emails and other socially engineered attacks.
Once you have the social aspect under control you can address the technology-oriented attack vectors, put in place a means of recovering from disasters like ransomware and create policies to further reduce CEO fraud and data breaches.