In social engineering attacks,  bad actors use various methods of psychological manipulation to trick users into making security mistakes or giving away sensitive information that is then used to either steal information from companies or extract money. Social media accounts, ‘innocent’ phone calls and malicious links in emails are the main sources of executing social engineering attacks.

Some common social engineering attacks and what you can do 

Phishing 

The most common of attacks. Emails sent that look like they are from a legitimate source. For example your bank, a client, Microsoft 365. Typically they will alert you that there has been some kind of issue and you need to login to resolve. Of course the login page is not what it seems and is cloned from the main site and is used to harvest login credentials. Typically sites will then forward you on to the legitimate login page where you think there must be “IT gremlins” and you then log in without issue and don’t think anything else of it.

There are a few things you can do to reduce the chances of falling victim to these attacks. Firstly, if an email comes out of the blue without you requesting a password reset, or some kind of activity that may lead to an email, then you should verify the sender. Check the email address in the from field, does it look legit? Hover over any hyperlinks, are they going to the proper websites? If in doubt, always access websites containing sensitive or financial information from bookmarked URLs that you know are real. Secondly, if the website offers it, always use Multi Factor Authentication (MFA) to back up your password. Then even if someone has your username and password they have another obstacle to overcome. If MFA is not available always use a strong unique password that you store in a password vault and rotate on a periodic basis.

Smishing 

Smishing is very similar to the above but takes place via SMS message. The most common over the last few years are delivery companies and banks but you also see it around year end with gov.uk messages asking you to check tax codes etc.

Pretexting 

This is where an attacker uses knowledge gained on social media to send emails pretending to be someone senior in the company. Typically attackers will use LinkedIn to get CEO/MD/CFO/Finance Director details and email junior members of staff asking them urgently to transfer some money, or more commonly get the victim to purchase Apple or Amazon vouchers and send them to the gift codes.

In all scenarios there are a few common steps you should take

·      Verify – Always do what you can to verify the details of the sender/caller.

·      Ask someone else – If you are unsure, ask someone else’s opinion.

·      Practice good password hygiene – Never reuse passwords. Use a password manager to create strong unique passwords. Use Multi Factor Authentication (MFA) where possible. Avoid the use of pet’s names, child’s names or anything you post about on social media (and yes – even if you use 01! At the end)

·      Be alert – Cyber attacks are not going away and there is no foolproof way of stopping them. Above all your best defense is for all staff to be alert and report any suspicious activity.

A good start for upping your cyber security measures is getting a business password vault. This will help you and your staff safely store and manage your business logins and passwords, consequently minimising the risk of them getting leaked or intercepted by the criminals. TechRadar did a decent rundown of some available solutions, I encourage you to have a look at them.

If you have any questions in regards to cyber security in your payroll business, feel free to reach out to me on LinkedIn.