Social Engineering Attacks: Considerations for SMBs
Sep 22, 2020
When most people think of someone hacking their business, they picture sophisticated cybercriminals infiltrating the network, breaking password protocols, and penetrating the firewall. Although that can happen, it’s very rare. Instead, social engineering is behind most cyberattacks, from high-profile data breaches at the largest corporations to ransomware and other attacks that many small and middle-market businesses (SMBs) fall victim to each year.
This kind of cyberattack doesn’t take a lot of money or sophisticated equipment to carry out, but the result can be quite costly for businesses. In 2020, data breaches cost companies on average almost $4 million per incident, according to the global IBM Security Cost of a Data Breach Report. Of the 17 industries surveyed, healthcare had the highest average total cost at $7.13 million.
Common Social Engineering Attack Vectors
Hackers can access a company’s sensitive information through a variety of social engineering techniques: faking the identity of an authorized user, guessing login credentials by mining social media profiles, or even boldly walking into the office and sitting down at an unsecured workstation. The three most common methods of trying a social engineering attack on an SMB are:
- Email — This indispensable business tool is valuable to would-be hackers, too. Many businesses are working harder to train staff to watch for potentially fraudulent emails, but it’s still an extremely successful attack vector — partly because it’s so easy to make an email appear to be coming from someone other than the true sender.
- Telephone — Phone calls are another common tactic. The caller pretends to have a legitimate request for access to systems or information, and if the recipient complies, cybercriminals can gain the data they seek.
- Physical access — In this tactic, hackers pretend to belong somewhere, such as a bank, an office, or a restricted-access area like a server room. If it works, they can get into the network using their own equipment or through an unattended workstation (even easier, since it’s probably already logged in). Once in, they’re free to steal, delete, or corrupt data as they like, or to install viruses and malware that infect the system.
Why Does Social Engineering Work?
Psychology is key to a successful social engineering attack. People don’t want to get in trouble, and they are curious by nature. For example, an email attachment claiming to offer tantalizing information — the salaries of everyone at the company, perhaps — is nearly irresistible. If the document carries malicious content like a virus or ransomware, just one click can put the entire network at risk.
Similarly, a bad actor posing as an IT auditor with an urgent request to test the safety of employee passwords is often successful; nobody wants to be the person who quibbles about protocol, holding up important work that makes the whole company safer. By exploiting either of these two basic human traits, hackers can bypass even the most sophisticated and carefully planned security systems.
Prevention Starts with Training and Testing
Individual behavior is what allows hackers in or keeps them out, so when it comes to thwarting social engineering attacks, training and testing are the two most effective prevention strategies.
Frontline workers need to understand how to recognize when something is out of the ordinary and how (and when) to report it. But while knowing what to look for can help people identify potentially risky situations, it’s also crucial that they know exactly how to respond.
Every business should have a written policy detailing protocols for verifying the identity of callers, email senders, and in-person visitors. For example, if an email contains any red flags at all, recipients should know to contact the IT department using a familiar number or help desk email address — not via a number or link included in the email — to verify that it’s legit (and do this before clicking on links, downloading attachments, or responding to the email).
It’s also critical that the training includes simulations and practice sessions. After all, it’s one thing to understand the policy in theory, and quite another to react appropriately when it’s happening. The goal is to impart a healthy skepticism in all members of the organization, so that they become comfortable and confident following established procedures in real-world scenarios.
Frequent white-hat social engineering testing is another imperative. This allows the company to identify vulnerabilities, whether that’s a particular attack vector (e.g., email requests or a sensitive location that needs more security) or specific individuals who need more training. Those who fail a test need to know that they failed and receive retraining and coaching, until it becomes automatic to follow established procedures before taking any action that could open the door for hackers.
In addition to training and testing, businesses can adopt tech-based strategies to help stop social engineering attacks. Companies that run their own mail server should implement some type of third-party protection tool that can scan incoming mail for viruses and malware. Some businesses go so far as to forbid attachments completely unless they go through a secure method of transfer, such as a file share platform that ensures the validity of each attachment. And for physical threats, camera systems can send an alert to those responsible for information security when someone enters an area with servers or other sensitive equipment.
The First and Last Line of Cybersecurity Defense
Tools like these can reduce risk, but don’t make the mistake of thinking they’ll provide adequate protection or make up for human error. Cybersecurity experts like to say that in social engineering, your people are your first and last line of defense. Training and testing (and retraining, if necessary) really are the keys to preventing a successful social engineering attack.
Cybercrime isn’t going away, but you can mitigate the risks of social engineering with effective training, testing, and tools. Contact the cybersecurity professionals at CRI for help keeping your business safe.
Employee Versus Contractor: A Crucial Distinction for Every Organization
Bolster Cash Flow With a Cost Segregation Lookback Study
Cryptocurrency Fundamentals for Financial Institutions
Is Your Rental Real Estate a Business?
GASB Pronouncement Effective Dates
Local Governments & The Final Rule: Coronavirus State and Local Fiscal...
S3:E7 – The Transaction Timeline: The 5 Stages of Selling Your...
What is Section 1071, and Why is it Important for Your...
5 Tips for Lessening Stress with Nonprofit Audit Preparation
Coronavirus State and Local Fiscal Recovery Funds
Manufacturing Inventory Accuracy Counts
3 Benefits of Creating a Captive Insurance Company
S3:E6 – Common ACFR Errors
Protect What Matters: Estate Planning in Uncertain Times
A Comparison of Education Tax Credits for 2022￼
S3:E5 – Heads up, Grant Professionals!
How Has COVID-19 Affected Business Valuations?
A New Significant Victory for Micro-Captives: IRS Notice 2016-66 Vacated!
Reporting Computer-Security Incidents: Is your Community Bank ready?
What Does a Cash Balance Plan Mean for You?
The Name’s Bond, Government Bond
Setting Nonprofit Executive Compensation
Promises to Give: Not-for-Profit Accounting Primer
Does Working Remotely During the Pandemic Mean You Owe More Income...
Still Confused About Whether to Deduct That Business Meal?
New HITRUST Assessments Give Companies More Options for Security Reporting
ICBA Live 2022 Conference Recap
You Could Owe “Nanny Taxes” Even If You Don’t Have Kids
You Overfunded a 529 Plan. Now What?
Nonprofit Board Review of Form 990
Managing ESG Risks in the Oil and Gas Industry
Charitable Lead Trust vs. Charitable Remainder Trust: A Comparison
S3:E4 – SSAE No. 21 | Direct Examination Engagements
Going Concern Issues for Nonprofits
Improve Medical Practice Productivity with Non-Physician Providers
Five Internal Controls to Prevent Fraud in Nonprofits
Safeguard Your Assets During a Divorce — Before You Get Married
Differences in Public Charities and Private Foundations
S3:E3 – Panic! At the IRS Disco
Top 5 Accounting Questions to Ask Your CPA
Report Fundraising Events on Form 990
3 Grant Writing Tips to Help Not-For-Profit Organizations
Health Savings Accounts Offer Big Tax Benefits Now and in Retirement
Short on Cash? Gift-in-Kind Donations Can Also Help Support Charities
Estate Planning FAQ
Transfer Your Wealth Using a Dynasty Trust
Two Types of Charitable Trusts You Should Know About
New Guidance on Gifts In-Kind for Non-Profit Entities
S3:E2 – Count Yourself in to a Career in Tax Accounting
Captive Insurance Taxation
S3:E1 – Fill Me in On NIL (Name, Image, Likeness)
Tax Alert: Received a Letter from the IRS? Hold Onto It!
Top 5 Priorities for Small and Mid-Sized Organizations in 2022
A Look at Internal Controls and Processes for Evaluating Vendors
Getting the Most Out of Your Remote Audit
Moving to a New State? Don’t Make These Tax Mistakes
Coronavirus Relief Funds – Getting Ready for Your Single Audit
IRS Extends Federal Tax Filing Deadline for Victims of December Kentucky...
Does Your Organization Need an Internal Audit?
2022 Cost of Living Adjustments Chart
What a Single Audit Means for Your Organization
Straddling the Fence: Should You Co-Source or Outsource Your Internal Audit?
Help Your Business Finish Strong with These 10 Year-End Tasks
IRS Clarifies Rules on 100% Deduction for Per-Diem “Meals”
COVID-19 Funding Best Practices, Accounting Treatment, and Single Audit Implications
Have You Completed These 5 Year-End Financial Planning Tasks?
Cybersecurity Trend to Watch in 2021: Cyber Supply Chain Risk
Outsourced Accounting Reference Guide: How Collaborating Can Help You Reach Your...
Fiduciary Matters: How to Be the Best Trustee for Your Organization’s...
It’s a Marathon, Not a Sprint: Going the Distance for Outsourced...
2021 Year-End Tax Planning for Businesses: Strategize, Optimize, Maximize
2021 Year-End Tax Planning for Individuals & Families: Strategize, Optimize, Maximize
Conference Recap – AICPA 2021 National Conference on Banks and Savings...
CECL: It’s Getting WARM in Here Webinar
Credit Memorandum Best Practices and “The 5 C’s”
It’s a Marathon, Not a Sprint: Going the Distance for Outsourced...
Keeper of the Vault: A Business Owner’s Guide to Cybersecurity
Federal American Rescue Plan Act of 2021 (ARPA)
COVID-19 Quick Hits: American Rescue Plan Act Overview
Risky Business: Comparing Risk Levels of MRBs
Employee Retention Credit Information Sheet
IRS Employee Tax Forms: A Checklist for Small Businesses
IRS Income Tax Forms: A Checklist for Small Businesses
Digital Transformation Starts With Process, Not Technology
What’s New from GASB: An Update on the Latest Standards
Homeowner Assistance Fund – What Tribes and Applicants Need to Know
CECL: It’s Getting WARM in Here
Homeowner Assistance Fund – You Don’t Know the HAF of it!
American Rescue Plan for Governments: The Resources Available
Potential Proposals on the Horizon: It’s Time to Prepare Your Estate...
Anti-Money Laundering (AML) and Cannabis Banking: Is Your Financial Institution Ready?
It’s a Marathon, Not a Sprint: Going the Distance for Outsourced...
Strategic Use of ARP Government Funds for Long-Term Success
Time to Pivot? How Your CPA Can Help You Adapt to...
Compliance Management System (CMS) – A Refresher
The Basics of Grantor Retained Annuity Trusts
Tax Considerations for Buyers Contemplating Mergers & Acquisitions
What Role Does Life Insurance Play in Estate Planning?
Taking a Fresh Look at Bankruptcy
2021 Insurance Update: What’s Next?
Start From the T.O.P Down: Ways You Can Improve Your Organization’s...
The Basics of Spousal Lifetime Access Trusts
When E-Commerce Sellers Would Benefit from Hiring an Accountant
Internal Controls: Governmental Challenges and Opportunities
IRS Clarifies Temporary 100% Deduction for Restaurant-Purchased Meals
Hired Any Recently Unemployed Workers? Let Them Know About New Exclusion...
Make Better Business Decisions with Financial Modeling
Succession planning is a difficult, but necessary, subject for a contractor
Rate Reform – Why is LIBOR Going Away, and What Will...
Clear Vision: Moving Your Business Forward with Confidence
Five Overlooked Tax Breaks for Contractors and Manufacturers
Exit Strategies: Preparing Your Manufacturing Business for Transfer of Ownership
How Contractors Can Bridge the Age Gap
Enhance Your Technology Tool Kit for Improved Productivity
Tax Strategies for Special Needs Families
Healthcare 2021: The State of Our Industry
Why Profits Do Not Always Lead to a Positive Cash Flow...
IRS Provides Guidance on Cafeteria Plan Balance Carryovers
Updates to the AICPA’s SAS No. 134 through SAS No. 140
SSAE No. 21 – Direct Examination Engagements
Not-For-Profit Revenue Recognition
Don’t Jeopardize Your S Corporation Status
Fiduciary Activities & Leases: A Tale of Two Standards – GASB...
Now or Later? Weighing 15-year Depreciation vs. 100% Bonus Depreciation for...
How to Spot Three Common Tax Scams
Insurance Companies and the IRS: What’s on the Horizon?
The Anti-Money Laundering Act of 2020: An Overview
Federal Audit Clearinghouse Extended Submission Dates FAQs
When Can You Deduct Data Breach Costs?
Boost Your Cash Flow with Net Operating Loss Carrybacks
What’s Next for Hemp-Related Businesses?
Considering a Conversion from Traditional IRA to Roth? Think Twice.
Making Intrafamily Loans with Intentionally Defective Grantor Trusts
The IRA: A Solid Estate Planning Tool in Times of Uncertainty
How MaaS Is Revolutionizing Manufacturing
Export Tax Incentives for Manufacturers
Meals & Entertainment
Credit Risk Management in an Unpredictable Environment
Insurance Companies and the IRS: A Downward Trend in Examinations
Exempt Organizations: IRS Issues Final Rules on 21% Excise Tax on...
Coloring Inside the Lines of Nonprofit Governance
How Does Your Industry Affect Your Cybersecurity Risk?
USDA Issues Final Rules on Hemp Production
Not-So-Safe Harbor? Navigating the QBI Rules for Rental Real Estate Businesses
Current FDICIA Regulatory Relief – What You Need to Know Now...
Disasters Never Rest, So Take Time Now to Protect Key Documents...
5 Things to Remember About Substantiating Charitable Donations
Considerations for Banking Cannabis-Related Businesses
Yes, Operational Planning Is Still Important
Does Your Home Office Qualify for a Tax Deduction?
Shutting Down a Business? Updated Resources Available from IRS
Lending Money to Family? Be Sure to Stay on the Right...
Updates to the Long-Anticipated Compliance Supplement Addendum
Preparing for Third-Party Payer Audits
Virtual Panel – Accounting & Business Outsourcing: Success Stories
Surviving in a Tough Economy: Cash Protection Strategies During an Economic...
Five Ways to Make Invoice Processing More Effective
COVID/CARES Act: How to Account For It and Pass the Single...
Is It Time for Cloud Accounting?
Watching the Horizon: Do You Have the Data You Need to...
Real-Time Results: How Dashboards Can Help You Move Your Small Business...
Key Factors that Drive Reimbursement in the PDPM Model
Pooled Income Funds Benefit Both Donor and Charity
What’s Behind the Hype About Donor-Advised Funds?
Don’t Get Ready for Fiscal Year-End. Stay Ready.
Accounting & Business Outsourcing: How to Become a Results-Focused, Data-Driven Organization
CECL: Impact to Date and the Road Ahead
Businesses Face Challenges When Expanding Their Remote Workforce
Helpful Tips for Completing Medicare Cost Reports
5 Savvy Black Friday Weekend Shopping Tips to Put In Your...
Technology Innovations Impacting the Insurance Industry
10 Anti-Fraud Recommendations for Community Associations
Hospital Price Transparency
Tax Implications of Debt and Equity Financing
Building Your Ideal Captive Board
Don’t Sleep on CECL
Social Engineering Attacks: Considerations for SMBs
Smarter Giving: Four Things to Know When Considering Charitable Contributions
Security Implications of a Remote Work Environment
How Important is Compliance with Government Regulations to a Firm’s Accounting...
Contractors Should Take A Closer Look at Site-Level Profitability
Assembling an Effective Financial Team
Contractors Can Remain Profitable in Down Market
The Pitfalls of Underbidding Projects
PRF Requirements Summary
Provider Relief Fund Recipient Q&A
Prepare, Recover, Emerge Stronger: A Roadmap for Financial Perseverance in Times...
CARES Act and Provider Relief Fund Single Audit
Back to Profitability: How Small Businesses Can Emerge Stronger from Crisis
Five Steps to Elevate Self Pay Patient Collections in Medical Practices
Planning for Possible Workforce Reductions
Drafting a Business Continuity Plan (BCP)
Tax Concerns for Self-Employed Individuals
Contractors Should Juice Up Working Capital in Volatile Times
When Essential Business Is Risky Business: Workers’ Comp & OSHA Considerations...
Getting Ahead of a Possible Recession – A Case Study
Virtual Meetings: Tips for Choosing the Right Technology and Conducting a...
Calculating Your Business Interruption Loss
Maintaining Financial Controls in a Disrupted, Remote-Work Environment
How to Increase Your Chances of a Successful Financial Statement Audit
Healthcare Organizations: Are You Ready for New Revenue Recognition Rules?
Managing Your Costs: It’s Tougher Than You Think
How to Maintain Proper Financial Controls when a Remote Work Environment...
Business Interruption Losses: Making an Insurance Claim
Business Interruption: Planning Your Next Steps and Setting Expectations
Cybersecurity Tips for Working From Home
Understanding the Basics of Business Interruption Claims
Stabilizing Your Business: Improvise, Adapt, Overcome
Government Entities: Plan, Protect, Adapt, Overcome
Make the Most Out of Your P&L
How to Arrange a Medical Practice Buy-Sell Agreement that Minimizes Disputes
Is a Captive Right for Your Organization?
Spring Cleaning Now Improves Business Performance All Year
Forensic Audits vs. Annual Audits: Taking a Proactive Approach to Protecting...
Automated Bank Reconciliation: An Instant Analysis for Your Business
5 Reasons Business Owners Prefer Outsourced Accounting
Unique Compliance Aspects of Risk Retention Groups
Thriving Under COVID: How the Best Companies Do More Than Just...
Improve Manufacturing Company Profitability
What’s Your Company’s Cash Flow?
Record Retention Schedule
Preparing for a Single Audit: Understanding the Requirements
A Grant Overview
Understanding Your Responsibilities Within Service Organizations
When Does a Hobby Become a Business?
Make Digital Assets Part of Your Estate Plan
What You Need to Know About the Home Office Deduction
Keeping a Close Eye on Medicare Fraud
Captive Insurance Basics
Privacy Policies and Data Security Keep Contributions Flowing for Not-for-Profit Organizations
8 Action Steps for Avoiding Nonprofit Online Presence Tax Traps
Building an Effective Nonprofit Audit Committee
Impressing Donors with Nonprofit Financial Information
Two Types of Government Termination Benefits
The Growing Threat of Cyberattacks in Manufacturing and How to Prevent...
Is Your Manufacturing Business Ready for the New Revenue Recognition Standard?
A Blueprint for Nonprofit Revenue Recognition Implementation
Protecting Your Company Against Executive Impersonation Fraud
Qualified Opportunity Zones: A Resource Guide
Clarifying Compliance: A Resource Guide for Healthcare Organizations
Living in a Post-Wayfair World
Citizen Centric Governmental Reporting
How Does Industry Affect Fraud Risk?
Cost-Effective Fraud Protection
Municipal Bond Arbitrage, Billy Ray Valentine, and What They Have in...
Disaster Recovery: Protect Your Assets With the Right Insurance
Don’t Let These 7 Tax Terms Scare You
Three Actions to Help Improve Your Collections Process
Acknowledgments of Nonprofit Donations
UPMIFA – That’s Not a Text
Balance Sheet Reconciliations: Focus on Internal Controls over Financial Reporting (ICFR)
Charitable Donation Documentation: 6 Answers to Know
Should Your HITRUST CSF Assessor Be a CPA Firm?
Closing a Nonprofit Organization
For Strong Data Security, Give Your Employees Some Backup
Understanding the Benefits of Engaging in a NIST CSF Assessment
Transfer Pricing and Not-For-Profits
Why Fair Value is Becoming a Popular “Celebrity” in the Accounting...
Bracing for Disaster? Prepare to Deduct Casualty Losses
Natural Disasters Can Affect Your Financial Statement, Too
The Importance of Conducting a Valuation of Your Small Business
How the SEC Bridges the Divide between GAAP and Non-GAAP Financial...
Use a Governmental Performance Audit to See If You Measure Up
Risk Management: Avoiding Crisis & Staying Afloat
Using Internal Controls to Keep a Record of Your Inventory: Storing...
The Fine Line Between Nonprofit Lobbying and Advocacy
4 Things the IRS Looks for in a Federal Tax-Exempt Application
Using Nonprofit Financial Statements for Future Planning
Implementing Nonprofit ERM Strategies
3 Common Questions & Answers: Nonprofit Audit Committee
Love, Marriage, and Uncle Sam: How Getting Married Affects Your Taxes
7 Benefits of Outsourcing a Not-for-Profit Organization’s Essential Bookkeeping and Payroll...
How the Internet Mystifies the Taxability of Qualified Sponsorship Payments
Tax Planning Reasons to Potentially Establish a Private Foundation
5 Exercises to Rehabilitate Retirement Funds
Manufacturing Product Costing
Financial Statement Preparation: 4 Steps to Power Up Business Performance Tracking
Is It Time for a Business Valuation?
What to Consider When Deciding Between a Calendar Year and a...
4 Benefits of a Government Audit Committee
Best Practices for Nonprofit Volunteer Management
Differentiating Between Independent Contractors and Employees
Captive Insurance Overview: Healthcare Provider Industry Highlights
Form 990 Marketing: Spotlight Your Nonprofit’s Efforts and Achievements
The Arm’s Length Principle: Protecting from the Rays of Transfer Pricing...
How to Properly Organize Your Tax Records
Where to Start When Creating a Business Plan
Small Business Compliance: Are You Sticking to the Law?
Five Steps to Prepare a Disaster Plan for Your Business
Restructuring Organizations Through Tax-Free Business Splits
Taking a Bite Out of Payroll Taxes
How to Protect Yourself from Tax Identity Theft
Anti-Money Laundering (AML) Implications of Human Trafficking
How Manufacturers Should Account for Excess Capacity
3 Questions to Find the Balance of a Seasonal Product Cycle
Opportunity Zones: Open for Business
How to Be Prepared With a Business Continuity Plan
What is a Governmental Component Unit?
4 Steps on the Path to Timely Payments
Understanding the Management’s Discussion and Analysis (MD&A) Disclosure
Six Common Nonprofit IRS Audit Triggers
The Evolution of the Bank Secrecy Act
Business Valuation Can Avoid a Merry-Go-Round During Divorce Proceedings
The Continued Importance of Risk Assessment for Financial Institutions
The Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Audit Revisited
Opportunity Zones are Knocking: Should You Answer?
It’s Time to Review and Update Your Partnership Agreement
Using Internal Controls to Keep a Record of Your Inventory: Costing...
Clear Reliable Insights: GASB 87
How to Manage Supplier Costs and Keep Your Business Balanced
3 Ways Public Companies Can Iron Out Their SEC Audit Processes
Travel Guide for Your Start-Up’s Journey to Success
How to Become the Boss of Your Digital Assets
Steering Clear of Bookkeeper Liability Hazards
Four Must-Have Features When Selecting an Auditor
Will Your Cybersecurity Defense System Protect Your Organization?
“Yours, Mine, or Ours?”: Identifying and Valuing Marital Property
One Taxing Situation: South Dakota vs. Wayfair, Inc
IRS Correspondence Letter: Your New Pen Pal the IRS
Is Your Bank’s Audit Committee Reaching the Summit of their Potential?
Will Your Cost Segregation Methodology Hold Water With the IRS?
Understanding Terms Found in Common Business Interruption Policies
Business Interruption Claims Can Help Businesses “Resume Flight” Following Unexpected Disaster...
How the SEC Bridges the Divide Between GAAP and Non-GAAP Financial...
An Origin Story About Captives
Sail Smoothly Through Those Saving or Shredding Decisions
The Opportunities of Effective Risk Management
Keeping the “Business” in “Family Business”
How the Pooling Method Can Help Bring Your Property Value to...
Boost Your Bottom Line by Understanding Your Internal Audit
Why Strong Internal Controls Are Necessary for a Healthy Business
3 Governance Policies Every Business Should Have in Writing
Prescribing the Right Internal Controls for Your Business
Avoid the Punch of Ransomware
4 Business Seasons When You Should Consider a Virtual CFO or...
Whaling Cyberattacks: What You Need to Know
The Importance of Diversifying Your Customer Base
3 Reasons to Differentiate Between Controllable and Non-Controllable Costs
How to Maximize Business Sale and Successfully Exit
4 Simple Solutions to Improve Financial Reporting Timeliness without Breaking the...
8 Steps for Cleaning Up a Tax Return Identity Theft Train...
Unearthing Occupational Fraud in Your Business
Life Insurance Tax Strategies: Maximizing this Multi-Use Tool
Watch for These 3 Signs of Employee Fraud
Join Our Conversation
Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.