Despite the rate at which cyber attacks are becoming more and more sophisticated, threat actors know that there’s no replacement for the classic tactics of Social Engineering. It may not be sexy, but it’s effective – and can often be overlooked in favor of focusing on digital defenses.
The recent MGM hack is forcing many to re-evaluate if they are taking enough proactive measures. In one phone call, someone impersonating an MGM employee was able to gain enough sensitive information to access the multi-billion-dollar casino’s primary website, online booking mechanisms, and number of in-casino terminals and services. While this may not do significant financial damage in the short term, it will likely have a long-term effect on reputation, potentially leading to significant losses over the coming years.
We would love to be able to say there is an easy solution to preparing for these scenarios, but any time human error is the prevailing factor in successful evasion, prevention effectiveness can suffer. All we can do is give employees all the knowledge, tools, and resources possible to understand how to identify the signs of suspicious social engineering activity.
This particular attack utilized a common voice phishing attack called Vishing – the fraudulent use of phone calls and voice messages to convince an individual to reveal private information. Vishing attacks often rely on fear or urgency to pressure victims into compliance.
What are the basics of a Vishing attack?
1. Caller Impersonation: Attackers impersonate trusted entities, such as colleagues, IT support, or even executives, to gain the trust of employees.
2. Urgency and Fear: Vishing attacks often create a sense of urgency or fear to pressure victims into revealing sensitive information or taking specific actions.
3. Emotional Manipulation: Social engineering tactics are used to exploit emotional triggers, making victims more likely to comply with the attacker’s requests.
Training Strategies to Verify Caller Identities
- Establish Clear Procedures:
- Develop and communicate clear procedures for verifying the identity of callers before disclosing sensitive information or taking any action requested over the phone.
- Ensure that employees understand the importance of these procedures in safeguarding company data and reputation.
- Use Independent Contact Information:
- Teach employees to obtain contact information independently from trusted sources, such as official company websites, directories, or previously known phone numbers.
- Encourage the use of contact information obtained through reliable means rather than relying solely on information provided by the caller.
- Ask for Specific Information:
- Train employees to ask callers for specific pieces of information to confirm their identity. This could include their full name, employee ID, department, or a callback number.
- Verify this information independently before proceeding with the request.
- Avoid Rushed Decisions:
- Emphasize the importance of not making rushed decisions or sharing sensitive information under pressure. Vishing attackers often create a sense of urgency or fear to manipulate employees.
- Encourage employees to take their time and thoroughly verify the caller’s identity.
- Collaborate and Confirm:
- In cases where employees are unsure about a caller’s identity, instruct them to collaborate with colleagues or supervisors to validate the request.
- Implement a “two-person rule” for sensitive actions, where two employees independently verify the identity before proceeding.
- Maintain a Reporting Culture:
- Foster a culture where employees are encouraged to report any suspicious or potentially vishing-related phone calls.
- Implement a non-punitive reporting system to ensure that employees feel safe reporting incidents.
- Regular Training and Refreshers:
- Conduct regular training sessions and refresher courses to keep employees up-to-date with the latest vishing tactics and caller verification techniques.
- Use real-world examples and scenarios to reinforce the importance of caller identity verification.
Verifying the identity of callers is a crucial step in fortifying your organization against vishing attacks. Vishing and Social Engineering is constantly evolving, so ongoing training and adaptability are essential components of your defense strategy. Empowering your employees to confidently verify caller identities is a powerful tool in safeguarding your organization’s security and reputation. Contact us for information on how Elevate can help protect your organization against Social Engineering attacks.
October is Cybersecurity Awareness month and a great time to educate yourself and your users. The 2023 Cybersecurity Awareness Month Resource Kit from KnowBe4 comes packed with:
Cyber Security Awareness Month User Guide
Cyber Security Awareness Weekly Planner
New featured video module for your users: “Security Culture and You”
Four security hints and tips newsletters
Five cybermonster character cards and posters
Get your free resource kit at https://info.knowbe4.com/cybersecurity-awareness-month-resource-kit-partner?partnerid=001a000001ZtBDG