Employees are still a weak link in many organizations’ cyber security efforts. As part of an overall Vulnerability Assessment program, companies are increasingly utilizing social engineering testing. However, these tests come with risk. Here’s what you should watch out for.

What is social engineering fraud?

Social engineering fraud encompasses a wide range of scams used by criminals to exploit victims’ trust in order to gain access to confidential and sensitive information.

How does social engineering testing help?

Social engineering tests imitate actual phishing scams to evaluate the security of an organization’s IT infrastructure. The organizations can safely attempt to exploit vulnerabilities by sending:

• Emails meant to entice the recipient to open a file, which is actually a distorted PDF, that when viewed, gives the hacker access to the user’s system.

• Emails meant to entice recipient to click on a link to a malicious website

• Emails enticing usernames and passwords out of recipients

• Malicious USB, CDs, and/or mobile apps which contain “Trojan” payloads and “phone home” capabilities.

• Caller ID spoofing (modifying caller ID to spoof the caller’s identity and access sensitive information)

Companies can choose to do an external test, which simulates an attack from the outside on specific servers within your internal network. This is the most common choice. The other option is an internal test, which simulates what someone could do from the inside (disgruntled employee for example.)

What can organizations do to avoid an attack?

Cybersecurity MUST be a C-Suite priority. In addition….

• Endpoint security, detection and response are critical tools to have in place

• Anti-exploit/ memory protection tools serve a vital layer of defense, too.

• Every member of an organization should have what’s called a “Zero trust” security posture, in which they do not automatically trust anything sent from inside the company or from the outside, and instead must verify everything trying to connect to systems before granting access.

• Organizations have found they need to be “tougher” at conveying the repercussions of poor information security practices

• Organizations should increase user awareness to the variety of different attack vectors

• Businesses should mock phishing and social engineering attacks on employees to reinforce the consequences of information security negligence.

Questions? Contact us.

Don't miss our webinar, What Nonprofit Board Members Need to Know About Cybersecurity on October 24th with our affiliate technology company, Envision Technology Advisors.