The Human Factor in Cybersecurity: Protecting Against Social Engineering Tactics
October 10, 2024
Cybersecurity isn’t just about securing systems. It’s also about protecting people from falling victim to social engineering — when a cybercriminal uses deception to manipulate someone into revealing confidential information. Cybercriminals exploit our natural tendencies to be helpful, trusting, and avoid conflict.
Why Should CPAs Care?
You might think, "We primarily deal with numbers, not digital technology. Does cybersecurity really matter?"
Think about the sensitive information you handle — Social Security numbers, bank details, tax returns. Cybercriminals target this kind of data.
The impact of a cyberattack can come in the form of loss of revenue, damaged reputation, and regulatory consequences.
Make a plan and start early
Despite employing state-of-the-art technology and teams of IT professionals, businesses remain vulnerable to cyberattacks. Every employee plays a crucial part in safeguarding their organization. So a good first step is to educate your employees the first day they begin work.
Consider discussing the basics at employee orientation, such as how to recognize social engineering attempts including business email compromise and phishing emails.
These are the first of many discussions you may want to have around cybersecurity. Regular meetings, conversations, and reminders about the latest security awareness tips can be helpful.
Learn to recognize social engineering attempts
A social engineering email can look like this:
Hey, Bill, are you in the office today? I need you to make a payment for me. We’re late sending it out, and the client is really upset, so it needs to get processed right away this morning.
But you haven’t submitted any recent tax returns. And you just walked past your boss in the hallway. Those are two red flags telling you NOT to click on that link or take the action your “boss” wants you to. These are social engineering attempts — fake communications that may look legitimate that ask you to send money or reveal information.
When in doubt, watch for these signs:
- A false sense of urgency. Language like, “Act now or your account will be suspended immediately,” puts the fear factor front and center and is a red flag that the communication may be a scam.
- Is money involved? This may seem obvious, but we sometimes rush past common sense during busy days. That’s what scammers are counting on.
- Check for a spoofed email address. For example, let’s say the email comes from an address like UPS_Account_Service@email.com. You can tell this is a spoofed email address because of “@email.com.”
Know the various types of social engineering
There are several popular social engineering methods:
- Phishing: A general attempt to get someone to reveal sensitive information or take a fraudulent action.
- Business email compromise: A cybercriminal takes over or spoofs an email system to send an email message that appears to come from someone you know and trust.
- Spear phishing: A more targeted phishing attack where the scenario is tailored to the victim to make it appear more legitimate.
- Smishing: When a cybercriminal uses deceptive text messages as part of a phishing attack.
- Vishing: When a cybercriminal uses fraudulent phone calls or voice messages as part of a phishing attack.
- Whaling: A spear phishing attack that targets a very high-profile victim, usually a person in upper management at a company.
- Tailgating or Piggybacking: When a bad actor physically follows an employee into restricted areas without proper authorization.
Cybercriminals are constantly evolving their tactics. Staying informed and training your team is an ongoing process. By building a strong human defense, you can keep your firm and your clients safe.
This content was provided by an OSCPA partner, INTRUST Bank. Learn more about INTRUST Bank and how to protect yourself against cybercriminals at intrustbank.com.