Social engineering raises some serious questions about data protection and compliance of accounting firms. Therefore, accounting firms should have measures to protect their IT assets against this newly emerging threat.
There are several key reasons why firms are at risk for social engineering, not the least of which is their access to huge amounts of confidential data. Many also act on behalf of clients for managing financial transactions. But in order to truly understand this threat, we must first understand exactly what is involved.
What is social engineering?
Traditionally, cybercriminals looked for weak surface areas or system vulnerabilities to breach and infiltrate the digital landscape of an organization and conduct malicious activities. However, social engineering focuses on manipulating internet users to divulge confidential information. In this attack, the user is tricked into taking action to click malware or spyware that breaches information systems once it gains access.
Let us illustrate this with an example. Generally, hackers send an intriguing pop-up or email saying that the user has won a prize or gift. The proposed offer is generally too good to be true, but the gains lead the user to take action.
In the second stage, the user is manipulated to make security mistakes (click link, fill out a form, etc.) and provoked to give away confidential information. This series of fake manipulations takes control of the victim psychologically and extracts information.
In the third stage, cybercriminals infiltrate the user's system and also remove traces of intrusion.
Social engineering attack forms
Phishing: This is the most common and prominent social engineering technique used to acquire information. Cybercriminals often disguised as legitimate business owners trick users with a fake solicitation email to provide confidential or sensitive information.
In many phishing cases, cybercriminals claim themselves as official bank employees and ask for online banking passwords. In other cases, they take users to a fake website. Whenever a user enters the login credentials, the cybercriminals capture and change them and can exploit the gathered information and access at will.
Spear phishing: A more personalized version of phishing that can often appear in the form of an online ad for free software. When a user clicks it, malware is downloaded into the system. In other cases, an attacker can appear as a CEO of a company asking for specific information via a link that may seem legitimate, but is only designed to gather computer access and install malware or ransomware.
Spear phishing shares a resemblance with another social engineering attack form called
Scareware: Scareware is a malicious program that is designed to create a state of panic to elicit the download of malicious software or to visit a spoofed website. This form of social engineering attack is typically launched through pop-up ads, which flash a warning that a user's system is infected and promises a fake solution. Once the ad is clicked, the phony solution enters the system and steals personal data. In many cases, Scareware is also distributed through fake emails.
Quid pro quo: The attacker requests information in exchange for a desirable service. For example, the attacker may pretend to be a support engineer and call an employee to address an IT issue. This information is then used to access information systems and organizational data.
Counteracting social engineering
As the primary touch point in social engineering resides not in information systems, but in people, its prevention requires a different approach than simply having the latest malware detection or firewalls installed.
Because social engineering relies heavily on human action, here are some steps you can take, and teach in your firm, in order to protect it from social engineering threats:
Regular Training
First and foremost, you can help counter social engineering threats in your firm simply by training employees to identify these elements in mail or other forms of solicitation. Know that all social engineering threats are composed of one or more of these four elements:
- An emotional plea or luring promise;
- It creates a state of fear, curiosity, excitement, anger or guilt;
- It stirs a feeling of urgency around a request;
- It attempts to establish trust with the user.
Nurturing safe communication habits
The employees must also be trained to be vigilant and not immediately trust unknown or uncommon messages they receive, or click on any ads online. Anything remotely suspicious can be from dubious sources and divulge information without checking its legitimacy.
Use comprehensive data security software
Accounting firms should use comprehensive data security systems and access management solutions to protect against attacks. More importantly, the systems should be updated regularly to address vulnerabilities.
If an intruder breaches through the system and captures login credentials multifactor authentication can prevent further login attempts. The anti-malware system should be deployed and updated regularly as per the latest threat definitions.
Ultimately, in order to prevent such attacks, accounting firms should create awareness by coordinating learning and development sessions. The employees should be acquainted with all forms of social engineering threats so they can clearly identify threats and secure organizational information.