Among the many dangers that employees at small and medium-sized businesses (SMBs) face, social engineering scams stand out as the most common and potentially devastating. Instead of relying on complex coding or high-tech hacking tools, they exploit the most vulnerable part of any security system: human nature.
Social Engineering Is One of the Worst Threats SMBs Face
If you think your small or medium-sized business is flying under the radar of cybercriminals, think again.
According to Barracuda’s Spear Phishing Top Threats and Trends Report, SMBs are actually targeted by social engineering attacks that reach the mailbox 3.5 times more often than their enterprise counterparts.
Why? It’s simple. Cybercriminals know that smaller businesses often don’t have well-established cybersecurity training programs in place. As a result, their employees are easy prey and potential gateways to higher-value targets through their supply chain.
This lack of preparedness stems from the fact that a whopping 33% of smaller businesses adopt a “do-it-yourself” approach to IT, as revealed by a recently published cybersecurity preparedness study. Without dedicated cybersecurity expertise, these businesses are like unlocked houses in a neighborhood of security systems.
The best long-term solution for SMBs to address this vulnerability is to partner with a Managed Security Service Provider (MSSP) like us at OSIbeyond. An experienced MSSP can provide comprehensive cybersecurity training and protection in a cost-effective manner, helping employees avoid the most common social engineering scams, such as the following ones.
Corporate Email Scams (Phishing)
Phishing is a scam that involves the use of email messages to trick victims into doing something that’s against their best interest, and it remains one of the most prevalent and dangerous threats in the cybersecurity landscape.
According to Proofpoint’s 10th annual State of the Phish report, a staggering 71% of organizations experienced at least one successful phishing attack in 2023. While this represents a decrease from 84% in 2022, the consequences of successful attacks have become more severe, with a 144% increase in financial penalties and a 50% increase in reputational damage reported.
Examples of specific phishing scams:
- Spear Phishing: This targeted form of phishing tailors the attack to a specific individual or organization by researching the victim and creating highly personalized and convincing messages.
- Whaling: A subset of spear phishing, whaling targets high-profile individuals within an organization, such as C-suite executives or board members.
- Business Email Compromise (BEC): In this sophisticated scam, attackers impersonate a trusted figure to manipulate employees into transferring funds or sharing sensitive data.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
Protecting against phishing requires a multi-faceted approach. While 46% of security professionals surveyed by Proofpoint are increasing user training to help change risky behaviors, it’s crucial to go beyond basic awareness by also implementing robust email filtering systems that leverage artificial intelligence to stop phishing messages from reaching employees in the first place.
Text Message Scams (Smishing)
Smishing, a portmanteau of “SMS” and “phishing,” is a social engineering attack that uses fake mobile text messages to trick people into compromising their security. It’s becoming increasingly popular among cybercriminals, with Proofpoint’s 2024 State of the Phish report revealing that a whopping 75% of organizations experienced smishing attacks in 2023.
Why the surge? Simple. We’re more likely to click links in text messages than in emails. Klaviyo reports SMS click-through rates between 8.9% and 14.5%, compared to a measly 2% for emails.
Examples of specific smishing scams:
- Fake delivery notifications: These messages claim there’s a problem with a package delivery, urging you to click a link or pay a fee. They’re particularly common during the holiday season when everyone’s expecting parcels.
- Password reset smishing: You receive a text message from a legitimate service (like your bank or email provider), claiming your account has been compromised. The message includes a link to “reset your password,” which actually leads to a fake site designed to steal your login credentials.
- “Wrong number” scams: The scammer pretends to have texted the wrong person, then strikes up a conversation. These long-con schemes aim to build trust over time before eventually asking for money or sensitive information.
The good news is that both Android and iOS devices offer built-in protections to intercept potential threats. At the organizational level, consider unified endpoint management (UEM) solutions to set mobile security controls and enforce policies across all devices. Combine this with regular, engaging security awareness training that includes simulated smishing attempts.
Voice Scams (Vishing)
Voice phishing, or just vishing for short, is the auditory cousin of email and text scams. It’s a type of social engineering attack where scammers use phone calls or voice messages to trick people into revealing sensitive information or taking harmful actions.
In the past, vishing scams (except for robocalls) were fairly rare because of the extra effort necessary to pull them off, but that’s changing quickly thanks to cutting-edge artificial intelligence tools, which make it possible to create human-like synthetic voices or even clone the voice of a real person. For example, one CEO of a UK-based energy business was scammed into transferring $243,000 after an AI clone of his German counterpart’s voice asked him to do so.
Examples of specific vishing scams:
- Tech support scams: Scammers pose as IT support, claiming there’s a problem with your computer or that your account is about to be deactivated. Often, they’ll try to get remote access or convince you to install malware disguised as some software.
- Bank impersonation scams: This classic involves a “bank representative” calling about suspicious activity on your account. They’ll ask for your account details or request an immediate transfer to a “secure” account.
- Fake government agency employees: There have also been cases of scammers impersonating officials from agencies like the IRS, Social Security Administration, or local law enforcement.
Protecting against vishing requires a combination of tech-savvy and good old-fashioned skepticism. First, implement a call filtering system to screen out known scam numbers. Second, train employees to always verify unexpected requests through official channels, even if the caller ID looks legitimate. Most importantly, foster a culture where it’s okay to be cautious—even if it means taking more time.
Social Media Scams
Social media platforms like Facebook, LinkedIn, or Instagram have become a goldmine for scammers. According to the Federal Trade Commission, social media scams have cost consumers a staggering $2.7 billion since 2021, and this figure likely represents just a fraction of the actual damage, as most frauds go unreported.
The impact of these scams is particularly pronounced among younger users, whose rates of social media use are the highest. In the first half of 2023, social media was the contact method for over 38% of reported fraud losses among 20-29 year-olds, and a whopping 47% for those aged 18-19.
Examples of specific social media scams:
- Romance scams: Scammers create fake profiles and build emotional connections with their targets, often over months. Once they’ve gained trust, they start asking for money or sensitive information.
- Business contact request scams: Fraudsters pose as legitimate professionals on platforms like LinkedIn, sending connection requests to employees they seemingly have something in common with.
- Brand impersonation scam: Besides pretending to be legitimate professionals, scammers also create fake accounts mimicking well-known brands. They might then run fake giveaways, solicit donations for non-existent charities, or send out job offers whose only purpose is to steal sensitive information.
Besides encouraging employees to be vigilant, businesses should create a clear policy for sharing work-related information on social media. The policy
Physical Social Engineering
While we’re all focused on digital threats, let’s not forget that some of the most effective scams happen right under our noses—literally. Physical social engineering attacks exploit our natural tendency to trust and help others in person.
Physical social engineering can take many forms, but the goal is always the same: to exploit human trust and natural helpful instincts to gain unauthorized access to physical spaces, data, or systems.
Examples of specific physical social engineering scams:
- Tailgating: Happens when an unauthorized person is closely following an authorized employee through a secure entrance. It’s a simple yet effective way to bypass access control systems.
- Shoulder surfing: In this tactic, an attacker observes an unsuspecting victim entering sensitive information, such as passwords or PINs, by looking over their shoulder in public spaces where people might let their guard down.
- Baiting: This physical social engineering scam involves leaving a malware-infected device, like a USB drive, in a conspicuous place. When a curious employee plugs it in, they unknowingly introduce malware into the company’s systems.
Protecting against physical social engineering requires a combination of awareness, policy, and good old-fashioned perimeter defenses. This means regular training to keep employees vigilant, clear guidelines for handling visitors and sensitive information, and physical measures like secure entry systems and surveillance cameras.
Conclusion
As you can see, there are many social engineering scams that employees to be aware of in this day and age. The good news is that cybersecurity awareness training is very effective at reducing the risk of falling victim to these scams. With proper education and vigilance, your team can become a robust human firewall against social engineering attempts.
Let’s discuss how OSIbeyond can help fortify your business against social engineering scams by providing comprehensive, tailored training programs and cutting-edge security solutions.