Many people love sport, and after a year with significantly reduced opportunities to watch it, this summer is set to make up for the absence in a big way. Starting in a few days is the rescheduled Euro 2020, Wimbledon will be with us in July after a year away, and later in the summer, we will all be able to enjoy the rescheduled Tokyo Olympics.
When you factor in all the other cricket, tennis, football, athletics and more taking place, it is clear we are in for a fabulous summer of sport. That is great news for fans, but not so much for cybersecurity teams that will be seeking to secure their organization against a fresh wave of sporting-based social engineering lures.
In our last blog post we explained how social engineering lures work [add link], now we’ll consider the specific type of lures people should watch out for this summer and look at what organizations can do to help keep employees safe.
The Rise of Social Engineering
Social engineering lures are a well-established form of cyber-attack. They work by targeting the weakest link in any organization’s cybersecurity – its people. Employees are human beings; they make occasional mistakes and get tired too. This means that sometimes they will click on a link that they shouldn’t or open an attachment that contains a malicious threat.
That’s why social engineering lures have become such an enduring threat. They rely upon people’s interest in current news and with an ongoing news cycle, can be refreshed on an almost continuous basis. Sporting events are a particularly effective way of getting people to click malicious links.
This is true generally, with cyber-criminals using the Super Bowl, World Cup, and almost any other sporting event as a social engineering lure, but perhaps this summer more than ever. Sports fans are so keen to enjoy a summer of sport after so much action has been postponed or cancelled over the past year that it is not unreasonable to think that they might be more vulnerable than they would usually.
What Does a Social Engineering Lure Look Like?
Because social engineering lures come in so many different guises and styles, they can feel hard to defend against. They nearly all look to abuse people’s trust by tricking them into giving up confidential information. Thinking specifically about the summer of sport ahead of us, this could look like one of the following:
Gambling-based Emails – some people enjoy a flutter on sporting events anyway, and this always increases for big events such as the Olympics and major football tournaments. With England expected to have a successful Euro 2020 and Scotland appearing at a tournament for the first time in decades, there could be a lot of ‘Cristiano Ronaldo or Harry Kane to be top scorer? ’ and ‘Scotland to beat England’ type emails purporting to be from legitimate bookmakers.
If employees click on the links within these emails, malicious software could be covertly installed on their machines. This could give criminals access to passwords and bank information and even provide them with control over an employee's computer.
Emails from Friends – if a cybercriminal accesses one person’s system, they can then send emails to everyone listed in that person’s contacts. An email from a friend that says, 'did you see this incredible Andy Murray shot yesterday?' and contains a link purporting to show a clip of the shot could be very tempting for a tennis fan.
Emails from a Colleague – when they get an email from a colleague or other trusted source, it can be hard for people to know whether that is genuine or not. If an employee receives an email from their boss saying that the Olympic 100m final will be shown on the TV in the boardroom, and contains a jpeg with a picture of one of the participants, then that is an enticing email.
Image files can be just as dangerous as links, perhaps even more so given that people are generally less aware of the threat that images (and other files) can carry.
How to Stay Secure Against Social Engineering Lures
Protecting against social engineering lures should be a key component of any cybersecurity strategy. Part of this strategy is undoubtedly using the right advanced email security solutions. Clearswift’s solutions work by removing malicious code and disabling URLs in emails and attachments before they arrive in the recipient’s inbox.
This hugely restricts the number of threats entering the organization and minimizes the damage they can potentially cause. But providing training for employees in how to recognize social engineering lures is of equal importance. 2020 Clearswift research with public sector employees revealed that 77% of respondents had been given no instruction in how to recognise ransomware, while 16% hadn’t been given any cybersecurity training whatsoever.
Cybersecurity training should be mandatory and encourage people to get into good habits. Training should include:
- Never Give out Financial Information or Passwords - any email that asks for financial information or passwords should be ignored or deleted. Legitimate providers will not ask for this detail, so encourage employees to delete any requests that do.
- Learn to Recognize the Signs – how likely is it that you would be sent an email from a betting company, had you shown no previous interest in gambling? Not that likely, so employees must be taught what to look for in social engineering lures. Any unsolicited communication should be approached with caution, and it is easy enough to check if an email comes from its stated sender by double-checking their name. Hovering the mouse cursor over any link will show the full URL, and you can tell from that whether it is genuine or not. Spelling mistakes and grammar illiteracies are also usually a sign that the email has malicious intent.
- Is the Training Working? – cybersecurity training should be ongoing, not a one-off occurrence. Furthermore, organizations need to test whether the training is working. Simulated phishing attacks are growing in use, and they are effective in identifying where training has been effective, who might need more work and reveal other vulnerabilities.
Social engineering lures are here to stay, and this summer will likely see a major spike in sports-related lures. But with the right combination of people, process and technology, there is no reason why organizations cannot stay secure.