Protecting Against Social Engineering Attacks
What stories like Gamble’s illustrate is that attacks don’t have to be carried out by cybercriminal masterminds to be successful. All these attackers need is for people to make (often understandable) mistakes. Those mistakes can be as simple as clicking on a link, opening a malicious attachment, or following the instructions of an attacker impersonating a trusted organization or colleague.
The proliferation — and success — of young hackers underscores the importance of training employees to recognize and avoid phishing and social engineering attacks. In this regard, simply making information available to employees is not enough to reduce risk — the goal should be true behavior change among end users.
One of our recent case studies provides a great example of how security awareness and training solutions can help organizations thwart social engineering attacks. The City of Garland, Texas, used Wombat anti-phishing training tools — a combination of our ThreatSim® Phishing Simulations, PhishAlarm® email reporting, year-round interactive training assignments, and business intelligence — to reduce phishing susceptibility by 80% and build a stronger culture of security.
The cybersecurity education delivered to employees helped Garland avoid a BEC attack that started with a vishing phone call, then progressed to email. An alert — and trained — employee questioned the cybercriminal’s request and halted the attack. Another Texas city wasn’t so fortunate; an employee fell for the same type of attack a week later, wiring hundreds of thousands of dollars into a fraudulent account.
While anyone can make a mistake, educating and training employees greatly reduces their susceptibility to BEC and similar attacks.
Bringing Teens Into Cybersecurity Careers
It’s clear that attackers of all ages can pose significant threats to your organization, even with relatively simple attacks. In a perfect world, young people with an interest in hacking would be positively mentored and steered into cybersecurity careers, helping to simultaneously reduce crime and fill the industry’s hiring gap. Several high school programs already exist to help students envision careers in cybersecurity, and both Europol and the FBI recommend that “alternative educational opportunities should be provided to at-risk youth, who may be attracted to cybercrime,” according to CyberScoop.
Even if these programs become widespread and prove effective — and we hope they do — there will always be those who opt for a black hat over a white one, which means there will always be a need for employee security awareness training. You never know when your end users will receive a phishing email or a phone call from a seasoned social engineer, determined to compromise your organization.