When Alvin Staffin received an email from his boss, he didn't question it. In the email, Gary Bragg, then-president of Pennsylvania law firm O'Neill, Bragg & Staffin, asked Staffin to wire $580,000 to a Bank of China account. Staffin, who was VP and in charge of banking, sent the money through as asked. An hour later, he realized the request was fraudulent—he hadn't been contacted by Bragg at all.
A hacker had gained access to Bragg's email account and used it, along with information they'd learned about an ongoing loan transaction, to pose as Staffin's boss. Nothing in the exchange made Staffin suspect that something was off until he called Bragg, who was out of town at the time, to discuss the transfer.
Both Staffin and his employer were victims of business email compromise (BEC), also known as CEO fraud, a type of social engineering attack. Social engineering attacks are cyberattacks where a criminal tricks a victim into doing something against their interests, such as revealing sensitive information of making a bank transfer.
BEC is one of the most damaging forms of social engineering attacks faced by small businesses. In the 2022 Internet Crime Report, the FBI ranked it as the second most damaging fraud, in terms of financial losses, after investment fraud.
The common forms of social engineering used by criminals are pretexting, phishing, baiting, and tailgating. Pretexting involves creating a false identity and situation to trick victims into providing information or access (BEC is a form of pretexting). Phishing attacks try to trick victims into giving away sensitive information, such as login credentials, using emails and websites designed to look like they belong to a person or business the victim trusts, such as their bank. Baiting is when malware-infected devices, such as USB sticks, are left in public places, in the hope that victims will take them and use them. Lastly, tailgating is when a fraudster follows an authorized person into a restricted area without proper authorization.
Protecting your business from social engineering
Securing a small business from social engineering attacks is an ongoing effort that requires constant vigilance. Because social engineering relies on a criminal's powers of persuasion, your staff's vigilance is your first line of defence. Security software forms a vital second line, protecting your business from some social engineers' tools, such as phishing sites, and from social engineering attacks designed to deliver malware.
Your first priority should be to empower employees to be confident in identifying and effectively responding to social engineering tactics.
- Run regular training to help employees understand how to properly recognize and respond to social engineering. Consider testing your staff, too, and follow up with further education for anyone who fails the test.
- Use at least two people for financial transactions. Social engineering attacks try to isolate and hurry staff so they act without thinking. Create checks in your processes to prevent that.
- Create an intentional culture of security so that security practices come naturally to your staff. Encourage people to report suspicious activity sooner rather than later, avoid punishing staff who fall for social engineering so that others are not afraid to be accountable, and lead by example.
- Use endpoint security to protect against the effects of baiting attacks, to block phishing sites, and to detect malware delivered by social engineering.
- Monitor threat intelligence to understand current and emerging threats that could affect your business.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.