Education Key To Thwart COVID-19 Social Engineering Scams

Recent research from security rating firm BitSight showed that malware attacks have tripled since the global health crisis forced companies to work from home. According to the report, home office networks are 3.5 times more likely than corporate networks to be infected by malware.

Many of these attacks rely on social engineering tactics designed to play on users’ fears about COVID-19. Researchers believe that a cybercrime group Ancient Tortoise were the first to use coronavirus-themed scams to convince potential victims to send payments to attacker-controlled accounts. Many other similar attacks have followed. Some simply seek monetary gain while others are designed to gain access to sensitive business information.

Below you will find five common types of social engineering tactics in use today. Share them with leadership and your employees in order to increase awareness.

1. Phishing: Phishing is the leading form of social engineering attacks. Phishing attacks are typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real person or organization. Phishing messages are crafted to deliver a sense of urgency or fear. It’s worth a refresher to alert employees how to detect a phishing attack.
2. Baiting: Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” may be monetary or free goods of some kind.
3. Quid Pro Quo: Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials.
4. Pretexting: Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or authority figure well known to an end user.
5. Social Media Deception: Criminals pose as a current or former co-worker, job recruiter, or someone with a shared interest on social media, especially LinkedIn.

Ongoing security education goes a long way to protect employees (and your team) against social engineering attacks. However, education is obviously just one part of a comprehensive security strategy. Putting the right technology in place is also essential.