The more cognizant employees and the general public become about online security risks, the savvier hackers seem to be. As much as we’d like to think we’re ahead of the curve with a keen eye for fraud, hacking has become increasingly sophisticated, making it all the more pertinent that employees know what to look out for when it comes to security threats.
While most of us have learned to be skeptical of certain scams, like the infamous, long-running “Nigerian Prince” phishing scheme—a “prince” or head of state asks you for your bank details over email so you can safeguard a large sum of money in exchange for a small share, then drains your bank account—even these age-old scams continue to lure victims. CNBC reported that as recently as 2019, the “Nigerian Prince” email still brought in more than $700,000 every year. That number is surprising, but in the scheme of things (pun intended) it’s not one of the most costly scams out there. (For the record, there is no prince of Nigeria, so he’s probably not the one emailing you.)
Phishing scams in general, however, are still the most popular online scams, namely because they are still so successful. The reason? They target users on a psychological level. Phishing scams are one example of a “social engineering” scam, all of which can be highly personal and sometimes impossible to detect.
Can it happen at my company?
Unfortunately, yes, and it’s happened to the best of them. In July, Dashlane reported on a social engineering attack on Twitter (the company’s worst security breach in history), which siphoned $118,000 worth of Bitcoin from users. There are many shocking elements to what happened: For starters, the attack was led by a 17-year-old hacker. Secondly, the hackers gained access to very high-profile accounts, including those of Jeff Bezos, President Barack Obama, and Kanye West. Add to all that the fact that Twitter is a leading tech company with a technologically savvy workforce, and you have an all-but-unbelievable hack. Read more about what happened here.
How did they pull it off?
So, how did they do it? In part, the global pandemic played a role in the now-infamous Twitter hack. Because Twitter employees, like many of us, are operating from home these days, the hackers claimed to be the IT department, helping employees connect to the company’s VPN. As many of those who work from home now know, this is a common grievance for employees trying to access a remote server.
The hackers called various employees posing as Twitter’s IT support, and directed them to an identical-looking VPN access page with a slightly different domain. As the employees entered their credentials, the hackers were able to copy those credentials into real Twitter logins, even convincing employees to authenticate their accounts when prompted.
Let’s look at the numbers…
Many organizations have encountered issues due to exposed or stolen credentials from administrative accounts in recent years. Combined, brute-force attacks, credential theft, and exposed credentials amount to 80% of data breaches in 2020. Again, the crucial element is social engineering, in this case using specific information about employees to gain access to user accounts. While some of the employees did report the calls to Twitter’s internal fraud monitoring team, others were fooled. And it only takes one.
What your IT department can do
In these (sorry to use this phrase) unprecedented times (groan), we learn to navigate new hurdles. Rather than thinking up all of the different issues employees might encounter, it’s best to have overarching policies in place in advance. These policies can also be applied to freelance or contract employees, who might communicate with your company’s IT department even if they are not necessarily primed on the same security policies as full-time employees.
- Make your IT department known
If employees can put a face to a name, it’ll be easier to know when someone is posing as a member of the department. Of course this gets tricky depending on the size of the company, but the extra effort to make introductions will never be a bad thing.
- Educate employees on what makes a strong password
Refer to our guide on common mistakes employees make while creating passwords, or even better, take advantage of Dashlane’s new ZXCVBN feature, available in our Android and iOS mobile apps, as well as for IT admins and their business plan users in the web app. The feature guides employees toward making a secure Master Password that they won’t forget, making the life of an IT admin a little easier with safer passwords and fewer “I forgot my password” help desk requests.
- Instill a dose of healthy skepticism
As part of your security training, establish and share the standard ways the IT department communicates. Can employees expect a chat message, a phone call, an email? What about? Is there ever a reason an admin might ask for their password? If your employees know that a phone call from the IT department is extremely unlikely, they’ll know not to believe the caller on the other end. It’s also important to include language that they should look out for to know when an email is legitimate. As sophisticated as phishing emails have become, there are still ways to train employees to be one step ahead of hackers.