Protecting Against Social Engineering Attacks

Having anti-virus software DOES NOT give you a free pass against phishing threats.  They do not prevent your users from falling for sophisticated social engineering attacks. No amount of legacy anti-virus software can stop an employee from entering their Office 365 credentials into a devious phishing site.  Or keep an executive from approving a multi-million dollar fraudulent transaction.  Phishing has evolved way beyond just malware delivery. Increasingly, it's a complex, multi-vector con job targeting your most important asset - your people.  Phishers don't always need an infected device to succeed; just uninformed recipients. Here are 4 steps you can take to mitigate risks:   1. 𝐄𝐦𝐩𝐥𝐨𝐲𝐞𝐞 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐚𝐧𝐝 𝐀𝐰𝐚𝐫𝐞𝐧𝐞𝐬𝐬 𝐏𝐫𝐨𝐠𝐫𝐚𝐦𝐬: Regular training sessions with mock phishing scenarios can help employees recognize and avoid phishing attempts. This is crucial as phishing attacks often rely on tricking users into giving away their information. 2. 𝐃𝐲𝐧𝐚𝐦𝐢𝐜 𝐎𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐢𝐨𝐧: This is a technique where the information presented to potential attackers is constantly changing, making it difficult for them to gain a foothold. It can be particularly effective in protecting against phishing attacks that rely on gathering information about the system or the users. 3. 𝐏𝐡𝐢𝐬𝐡𝐢𝐧𝐠-𝐑𝐞𝐬𝐢𝐬𝐭𝐚𝐧𝐭 𝐌𝐮𝐥𝐭𝐢-𝐅𝐚𝐜𝐭𝐨𝐫 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 (𝐌𝐅𝐀): While MFA is a common recommendation, using a phishing-resistant MFA adds an extra layer of security. This could involve using hardware tokens or biometric data, which are much harder for a phishing attack to replicate. 4. 𝐈𝐧𝐯𝐞𝐬𝐭 𝐢𝐧 𝐚 𝐂𝐨𝐦𝐩𝐫𝐞𝐡𝐞𝐧𝐬𝐢𝐯𝐞, 𝐌𝐮𝐥𝐭𝐢-𝐋𝐚𝐲𝐞𝐫𝐞𝐝 𝐄𝐦𝐚𝐢𝐥 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐒𝐨𝐥𝐮𝐭𝐢𝐨𝐧: Invest in a comprehensive, multi-layered, anti-phishing security solution that covers all aspects of your business. That means adding a specialist cloud email security solution like MailGuard, to your email security stack.   Modern phishing protection must blend cutting-edge technology with comprehensive security awareness.  Believing otherwise is the real virus that can leave you vulnerable.

The FBI recently issued a stark warning: AI-generated voice deepfakes are now being used in highly targeted vishing attacks against senior officials and executives. Cybercriminals are combining deepfake audio with smishing (SMS phishing) to convincingly impersonate trusted contacts, tricking victims into sharing sensitive information or transferring funds. This isn’t science fiction. It is happening today. Recent high-profile breaches, such as the Marks & Spencer ransomware attack via a third-party contractor, show how AI-powered social engineering is outpacing traditional defenses. Attackers no longer need to rely on generic phishing emails; they can craft personalized, real-time audio messages that sound just like your colleagues or leaders. How can you protect yourself and your organization? - Pause Before You Act: If you receive an urgent call or message (even if the voice sounds familiar) take a moment to verify the request through a separate communication channel. - Don’t Trust Caller ID Alone: Attackers can spoof phone numbers and voices. Always confirm sensitive requests, especially those involving money or credentials. - Educate and Train: Regularly update your team on the latest social engineering tactics. If your organization is highly targeted, simulated phishing and vishing exercises can help build a culture of skepticism and vigilance. - Use Multi-Factor Authentication (MFA): Even if attackers gain some information, MFA adds an extra layer of protection. - Report Suspicious Activity: Encourage a “see something, say something” culture. Quick reporting can prevent a single incident from escalating into a major breach. AI is transforming the cyber threat landscape. Staying informed, alert, and proactive is our best defense. #Cybersecurity #AI #Deepfakes #SocialEngineering #Vishing #Infosec #Leadership #SecurityAwareness

Your customers aren’t the only ones being scammed. Your employees are too. Not with fake checks. Not with phishing links. But with psychological scripts and fake authority. Criminals aren’t hacking systems. They’re hacking human behavior. According to a report by Verizon in 2024, 90% of cyberattacks involved social engineering. All it takes for your business to be compromised is... - One call from a “regional director.” - One email spoofed from a supervisor. - One urgent request for a money transfer. And your employee follows it because it sounds real or the company culture makes them uncomfortable to ask questions and they just follow orders. Suddenly… 🚨 A wire is sent. 🚨 The scammer disappears. 🚨 The customer account is compromised. 🛡️ How to Combat This: ✅ Fraud scenario training for all departments (not just fraud teams) ✅ Two-party verification on any internal financial request ✅ Teach employees to “Pause, Think, Verify” before acting under pressure ✅ Establish an internal fraud escalation line You can't stop what you don't know. #FraudHero #socialengineering #fraud #scams #fraudprevention

The MGM attackers claimed they used one of the easiest ways to breach/ransom a company, a method I use often in my hacking: 1. Look up who works at a org on LinkedIn 2. Call Help Desk (spoof phone number of person I’m impersonating) 3. Tell Help Desk I lost access to work account & help me get back in While we wait for attack method confirmation, I’ll say that the attack method they claim worked for them does indeed work for me. Most orgs aren’t ready for phone based social engineering. Most companies focus on email based threats in their technical tools and protocols — many are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone based attacker in the act. Teams need protocols to verify identity before taking action. The 1st teams I go after when hacking are the folks who deal with requests from people constantly — IT, Help Desk, Customer Support, etc. I often pretend to be an internal teammate to convince them to give me access, and I usually start with phone attacks bc they work fast. Email phishing attacks can get caught in good spam filters and reported. The soft spot for many teams are the folks who handle the phone call requests. There’s a perfect storm: lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests. Questions to ask internally to see if your team is prepared to catch this attack: - Do the folks who handle requests from team/customers use identity verification protocols? - Do we rely on knowledge based authentication? DOB + caller ID matches ☎️ number in system, for example.  - Are our IT/Help Desk/Support teams compensated or promoted on the speed of saying yes to requests? Have we incentivized time for security protocols in Support? - How do we verify identity first? Remember, most folks at work want to do a good job and often times “good work” means “fast work”. We can’t expect every employee to be able to come up with their own identity verification protocols on the fly — it’s our job to provide the right human protocols to catch this fast. We’ll need to wait to learn the details of the attack and get confirmation. In the meantime, I can tell you I compromise orgs w/ the exact phone attack the attackers claim to use and many orgs don’t have phone call based identity protocols to catch it yet. Update your phone based identity verification protocols to catch account takeover attempts! You know your org best & there’s no one size fits all. You can move from KBA (like DOB) to OTP on 2nd verified comm channel, call back to thwart spoof, service codes, pins, and much more. After hacking & educating orgs on how they can catch me, the biggest task I spend my time on is updating verification protocols to spot me next time. It’s maddening to get caught on their new identity verification protocol on the next pentest but there’s also nothing I love more.  More details here: https://lnkd.in/gqZ9-vVi