3 Tips to Help Your Staff Thwart Phishing & Social Engineering

The FBI defines social engineering as “the use of deception, through manipulation of human behavior, to target and manipulate you into divulging confidential or personal information and using it for fraudulent purposes.” Social engineering can occur in-person, on the phone, or through email and other electronic communications (known as phishing).

Social engineering is costing companies billions of dollars every year, and its employees who are most vulnerable to it. Why? Most employees are generally trusting and want to be helpful, they’re often short on time, and these scammers can be persuasive.

Anyone can be a target, from the receptionist to the owner of a company. Therefore, employees should be trained to recognize common social engineering and phishing tactics and what to do if they suspect it is occurring.

Here are Three Tips to Help Your Staff Thwart Phishing & Social Engineering :

You can implement certain procedures that will help reduce the possibility of social engineering. Make those procedures company policy, and make sure employees understand those procedures. Some examples of policies may include the following:

• Only use USBs from the IT department
• Never click on an email from someone you don’t recognize
• Document and report suspicious situations (make sure they know how and to whom they should report it)
• Report lost or stolen badges immediately
• Never respond to money transfer requests by email

Hold mandatory social engineering training for all employees. Make sure the person providing the training – whether it’s someone from within your organization or a hired professional – is qualified.

The training should teach employees the potential consequences of social engineering and how to recognize, thwart, and avoid social engineering. It should be engaging and interactive and include examples and the opportunity for employees to act out specific scenarios.

Those on the front line – such as receptionists – should receive additional training, as they are more vulnerable to social engineering.

Here are a few of the more common social engineering scenarios that your employees should be able to recognize:

• Phishing – This is the most common type of social engineering. The scammer typically tries to get private or personal information, get you to click on a link, or create a sense of fear or urgency to get you to respond quickly – without thinking first.
• Pretexting – The scammer comes up with a story – or pretext – to fool you into providing information or access to a service or system.
• Baiting – The scammer promises to give you something – such as free music – in exchange for something – such as your login information.
• Quid Pro Quo – The scammer offers you a service – such as free IT assistance – in exchange for something - such as your login information. Baiting typically uses a product to lure you in; whereas, Quid Pro Quo typically uses services.
• Tailgating or Piggybacking – Examples of this tactic include borrowing an employee’s laptop or asking an employee to hold the door open, so they don’t have to dig out their ID.

Lead by example. If employees see management following company policies, they’re more likely to follow them.

Train all new employees and provide on-going training for existing employees to remind them of the dangers of social engineering and to keep them up-to-date on company policies and new threats.

Include information about social engineering in employee communications, such as employee newsletters, emails, bulletin boards, etc.

Encourage employees to question their actions. For example, if a delivery person or vendor wants to come behind the counter, are there any potential risks if the employee allows it? Is it okay to let this person into the facility without an ID? Does something seem off about this email?

Up-to-date security software also helps prevent unauthorized access to data, and the good news is that you don’t need a dedicated, in-house IT team. Eberly Systems offers managed anti-spam plans and managed security plans to prevent email social engineering and to protect your IT system from a variety of security threats - from phishing to infections.

Call today at 610-374-4049 or f ind us online to learn about our proactive IT Managed Services Plans that are perfect for businesses that want to ensure that their systems and data are well protected