Common Social Engineering Tactics to Watch For
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Social engineering refers to a cyberattack method in which a cybercriminal preys on key human behaviors (e.g., trust of authority, fear of conflict and promise of rewards) to obtain unwarranted access to targets’ technology, systems, funds or data. These attacks can be deployed through various tactics, such as digital impersonation, deceitful messages or malicious software (known as malware). Social engineering attacks have become a significant threat to businesses of all sizes and sectors; after all, anyone can be targeted in these incidents—including entry-level workers, managers and CEOs.
With this in mind, it’s crucial for businesses to be aware of frequently utilized social engineering methods and adopt effective cybersecurity measures to help mitigate these incidents. This article outlines common social engineering tactics to watch for and offers associated prevention and response tips.
Common Social Engineering Techniques
In a social engineering attack, a cybercriminal implements a number of manipulative tactics to lure their target into performing actions that they normally wouldn’t. Some common social engineering methods include the following:
- Phishing—This technique involves cybercriminals leveraging fraudulent emails to trick recipients into providing sensitive information, clicking malicious links or opening harmful attachments. In order to make their emails appear genuine, cybercriminals will often impersonate trusted sources (e.g., a co-worker or well-known organization) and feign a sense of urgency to rush targets into acting. In addition to traditional phishing, cybercriminals may also attempt to manipulate targets over text messages or phone calls (known as smishing and vishing, respectively).
- Spear phishing—A spear-phishing scheme typically focuses on specific individuals or companies and uses personalized information to convince targets to share their data. In these instances, cybercriminals will research targets’ online behaviors, such as where they shop or what they share on social media, to collect personal details that make their schemes seem more legitimate.
- Business email compromise (BEC)—Such a technique refers to cybercriminals posing as business leaders or partners (e.g., executives, senior-level employees, vendors or suppliers), often for financial gain. Cybercriminals generally deploy BEC scams via email by creating fake accounts for business leaders or partners and using deceiving messages to trick targets into transferring money, divulging financial data or changing banking details.
- Baiting and quid pro quo—Through this strategy, cybercriminals make false promises to persuade targets to share data or download malware. These false promises may appear in the form of fraudulent pop-up advertisements or deceitful online promotions. For example, a cybercriminal may use a false advertisement for a free movie download to trick their target into installing a virus on their device. Similar to baiting, quid pro quo incidents involve cybercriminals promising to provide something valuable to their targets (e.g., an e-commerce coupon code or discounted security software) but only in exchange for the targets’ sensitive information (e.g., contact details, bank account numbers or login credentials).
- Pretexting—This technique consists of cybercriminals impersonating a co-worker, community leader or authority figure (e.g., a police officer, government employee, banker or tax official) and asking targets to provide sensitive information to confirm their identities or help complete critical tasks and assignments. Some of the most common types of data stolen amid pretexting incidents include employees’ contact details and Social Security numbers, company bank records and workplace security information.
- Tailgating—Through this tactic, cybercriminals physically sneak into workplaces by following closely behind employees or other credentialed individuals (e.g., custodians or building maintenance workers) without their knowledge. That is, after these authorized individuals leverage their key fobs or identification badges to pass through locked doors or security checkpoints, the cybercriminals will also slide inside before the locks can reengage. From there, the cybercriminals may leverage their on-site access to steal essential company records, infect important technology with viruses or malware and compromise security systems to allow continued workplace infiltration.
- Scareware—This method entails cybercriminals utilizing various scare tactics to frighten and manipulate targets into paying ransoms, often through seemingly legitimate prompts (e.g., fraudulent virus infection alerts urging targets to purchase security software for their devices or deceptive messages claiming to be from law enforcement that accuse targets of committing crimes and demand payment for any associated fines). Scareware may either initially contain malware or eventually coerce targets into downloading malware.
Tips to Mitigate Social Engineering Attacks
Businesses can consider these steps to help prevent and respond to social engineering attacks:
- Provide training. Businesses should educate employees on social engineering and how it could affect them. Additionally, employees should be required to participate in routine cybersecurity training on social engineering attack detection and prevention. This training should instruct employees to do the following:
- Maintain a healthy sense of skepticism across communication channels by watching for social engineering tactics in emails, texts and calls (e.g., lack of personalization, generic phrasing and urgent requests).
- Refrain from interacting with emails, texts or calls from unknown or suspicious senders.
- Avoid clicking links or downloading applications provided within emails or texts.
- Never share sensitive information online, via text or over the phone.
- Utilize trusted contact methods (e.g., calling a company’s official phone number) to verify the validity of any suspicious requests.
- Report any suspicious emails, texts or calls to the appropriate parties, such as a supervisor or the IT department.
- Implement access controls. By allowing employees access to only the information they need to complete their job duties, businesses can reduce the risk of cybercriminals compromising excess data or securing unsolicited funds amid social engineering incidents. To further protect their information, businesses should consider leveraging encryption services and establishing secure locations for backing up critical data.
- Utilize proper security software. Businesses should make sure all workplace technology is equipped with adequate security software. In some cases, this software can halt cybercriminals in their tracks, stopping fraudulent messages from reaching recipients’ devices and rendering harmful links or malicious applications ineffective. In particular, workplace technology should possess antivirus programs, spam detection systems, email filters, firewalls, message-blocking tools and multifactor authentication capabilities. This security software should be updated as needed through patch management systems to ensure its effectiveness.
- Ensure safe financial transactions. Having secure financial procedures can help limit the risk of any money being lost during social engineering attacks. As such, businesses should instruct employees who handle financial operations to carefully analyze fund transfer requests and similar payment demands to ensure their validity. When possible, these requests should be discussed in person before moving forward, especially if they involve alternative payment procedures or changes in banking details. Businesses may also want to consider utilizing several verification methods and implementing the “two-person rule” to confirm payment requests, in which two authorized individuals must review and approve transactions before they can go through.
- Adopt a cyber incident response plan. In the event that a social engineering attack is suspected or detected, it’s essential for businesses to have dedicated cyber incident response plans in place that outline steps to ensure timely remediation and keep damages to a minimum. These response plans should address a variety of possible attack scenarios and be communicated to all applicable parties. Both the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have resources available to help businesses create such plans.
- Conduct tabletop exercises and penetration testing. It’s not enough for businesses to simply create cyber incident response plans. Rather, they should routinely assess these plans for ongoing security gaps and make changes as needed to ensure maximum protection amid social engineering attacks. Common assessment techniques include the following:
- Penetration testing—Such testing consists of an IT professional mimicking the actions of a cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and is able to withstand attack efforts. This testing usually targets a specific type of workplace technology and may leverage various attack vectors.
- Tabletop exercises—A tabletop exercise is an activity that allows an organization to simulate a realistic cyberattack scenario (e.g., a phishing simulation) for the purpose of testing its incident response plan’s efficiency. In other words, this exercise serves as a cyberattack drill, giving participants the opportunity to practice responding to an attack.
- Consult trusted experts and professionals. Businesses don’t have to navigate and address their social engineering exposures alone. Instead, they can seek assistance and supplement their existing resources with guidance from a wide range of trusted external parties, including insurance professionals, legal counsel, cybersecurity firms, law enforcement and government agencies (e.g., CISA and NIST).
- Purchase sufficient coverage. It’s critical for businesses to purchase adequate insurance to secure ample financial protection against potential losses that may arise from social engineering attacks. Businesses should consult trusted insurance professionals to discuss their specific coverage needs.
Conclusion
Social engineering is a common and widespread cyberthreat that has the potential to wreak havoc on businesses across industry lines. Fortunately, organizations that ensure a solid understanding of key social engineering methods and leverage proper prevention and response measures can help minimize these incidents and their related losses.
Contact us today for more risk management guidance and insurance solutions.
- Published in Blog
Winter Attraction and Retention Tips
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
While some industries are busy due to holiday shopping and seasonal employment, recruiting often slows during the winter months—especially after the winter holidays. However, winter is also when many job candidates are setting goals and making plans for the coming year, which may include searching for new jobs and opportunities. Additionally, less recruiting activity means employers seeking to attract and hire employees during the winter may experience a competitive advantage over similar organizations.
Simultaneously, many employers struggle to keep employees engaged during the winter months. Employers may notice decreased workplace productivity and morale associated with the cold, dark weather and stress of the holidays and winter months. Left unaddressed, a winter slump can negatively impact employee satisfaction and retention, leading to increased turnover rates and other employment challenges.
Savvy employers can use winter employment challenges as opportunities to attract talented job candidates and re-energize the workforce. This article provides guidance for winter attraction and retention.
Winter Attraction Tips
Many individuals have more free time around the holidays. This provides an opportunity for employers to boost their recruiting efforts at a time when potential candidates have more free time and lenient schedules. Employers can consider the following strategies to improve winter attraction:
- Ramp up social media efforts
- Launch an employee referral program
- Share organizational and employee successes on social media
- Schedule interviews while candidates have free time around the holidays
- Build a talent pipeline to take advantage of the reduced hiring competition
- Recruit college or university students who graduated during the fall semester
- Use employment websites to improve branding and candidate outreach.
- Create a mobile-friendly application process
- Be quick and transparent with all candidate communications.
Winter Retention Tips
During the winter, employees often get less physical activity, spend less time outdoors and see their friends more infrequently. Additionally, many individuals experience a post-holiday slump, which refers to a period of mental fatigue or depression due to the emotional, financial and physical stress of the holiday season. This can negatively impact employees’ mental health and workplace performance. Employers can consider the following practices to boost employee engagement and retention during the winter months:
- Recognize and reward employees for good work and accomplishments
- Encourage goal-setting at the team, department and individual level
- Train employees to ensure they’re well-equipped to handle their workplace responsibilities
- Host active work breaks, such as 10-minute stretching or exercise options around the office
- Offer employees flexibility on days of severe winter weather
- Promote idea sharing and collaboration.
- Check-in with employees on a personal and professional level.
- Design a comfortable workspace (e.g., soft lighting and lounge chairs).
- Celebrate and encourage employees’ personal successes (e.g., birthdays and weddings).
- Encourage employees to take work breaks together.
- Offer holiday bonuses and other incentives (e.g., gift cards or prepaid cards).
- Encourage employees to take paid time off.
Conclusion
Winter can create employment challenges for employers looking to attract and retain talented individuals. Employers that adopt a proactive approach to attraction and retention during the winter months can combat employment challenges that might otherwise contribute to low morale, decreased productivity and high turnover rates.
Contact us today for more workplace resources.
- Published in Blog
What Employers Say About the Future of Employer-sponsored Health Benefits
By Casey Kirkeby, Strategy Consultant
Employer-sponsored health benefits have faced several threats over the past few decades, but just like hard-working employees they protect, they still endure and remain the primary method of coverage today.
One of the most impactful changes has been the introduction the Affordable Care Act (ACA). The Employee Benefits Research Institute (EBRI) recently published a report examining the ACA’s impact and other government health care solutions on employer-sponsored health plans. The study interviewed 26 benefits executives from various industries whose organizations covered over 1.2 million individuals and spent more than $6.5 billion on benefits in 2021. Their data reflected that both employers and employees still viewed employer-sponsored health benefits as an important feature of the employment relationship. Who would have though, right?! While this public option doesn’t guarantee ongoing success and stability, it will hopefully help shield employers from future challenges like legislative policy changes, economic difficulties and labor market shortages. Just like any good relationship, the employer/employee benefit relationship takes hard work, trust, and transparency.
As health care costs rise, employers are looking at any option to control costs. One arrangement that has been quite popular in the Lower 48 is the ICHRA (Individual Coverage Health Reimbursement Arrangement). Since it’s inception in January of 2022, many employers have adopted the ICHRA, directing their employees to private exchanges so that the employee is able to make plan design decisions for themselves apart from the traditional one-size-fits-all model. There are important considerations to take into account before an employer jumps to this model and the process is still clunky, but it can be a good fit for some employers. However, employers and employees have been slow to embrace the ICHRA because it lacks control over healthcare costs and creates additional administrative burdens that the employer has to absorb.
Another survey conducted by the National Business Group on Health concluded that most employers plan to continue offering health benefits to their employees as part of their overall compensation package. Specifically, the survey found that 92% of large employers offer health benefits and expect to continue doing so in the future, with an increasing focus on virtual health and digital solutions.
Employers are always exploring different ways to control costs, such as offering high-deductible health plans, Wellness Programs, Employee Assistance Programs surrounding mental health, and incentivizing employees to use cost-effective providers. But for now, employers remain confident in their ability to provide affordable health benefits to employees as an important attraction and retention tool.
- Published in Blog
To Wage War On Work & Wage
By Kevina “Liz” Mitchell, Employee Benefits Account Specialist
Like many of the other 10 million single mothers in America, I have one beautiful princess who my life revolves around. Yet, whether we be single parents, two parent homes, or even individuals, this past year has likely affected each of our metaphorical family orbits. Once inflation took flight last year and refused to land, I was faced with a hard decision: either leave my current job (which I love) or take on a second part-time gig. Neither choice is appealing, but I have chosen the second. A) Because again, I love my job and B) because although the job market is hawt, the jobs I do qualify for either do not pay what I need, or they just seem really sus.
I do wonder when the last time the State of Alaska updated their assistance eligibility requirement was. Though I have by all accounts a respectable white-collar job, I still struggle to pay my bills, often having to choose between buying food or paying said bills. There’s no extra. The things my daughter and I were able to enjoy before this inflationary period are now unattainable because they cost money that I simply don’t have. As she grows… so do her interests. She wants to take classes that there are no funds for. Even I would like to take a class or two to grow my interests but cannot. But, according to Alaska, I make too much money. So, help is not available to me.
My remaining option then becomes to work more hours, having even less time with my little girl who needs me, and exhausting myself more than I already am. I suppose I could don a nice dress and hunt for a rich man… but I’m anemic so I don’t have the energy for that, hahaha! I do, however, think this is an opportunity for some creativity. My mother has been pestering me to start painting again. Allegedly I have a growing fanbase on JBER that would like to purchase my art pieces. I’ve also decided that this is a wonderful time to monetize my stunningly straight teeth and infectious personality via the Food & Beverage Industry.
Either way, I know I’m going to be just fine. While this isn’t how I envisioned my life going I can’t say that it’s boring. At least I have this life and the wonderful daughter within it. I’m also pretty excited about the possibilities! Especially the part where I will have no excuses to not leave my house anymore…or maybe that part was just anxiety, I don’t know. But darn it all, it’s happening, and life goes on.
- Published in Blog
Expanding the Talent Pool With University and College Recruitment Strategies
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
A common misstep in attracting or recruiting talent is setting narrow restrictions on who to interview or where talent is sourced. Often, highly talented job candidates are overlooked due to inexperience. Employers have an opportunity to expand their recruiting reach by pursuing entry-level candidates at universities, colleges and trade schools, but it comes down to hiring for skills or the right fit—rather than experience—and offering training and career development on the job. This kind of strategy is considered a core recruitment function for many organizations.
As new generations enter the workforce and everyday job skills change, savvy employers can secure candidates who have the potential to grow in a new career. This article explores the opportunity for recruiting and hiring employees from universities, colleges and trade schools and ways to build a sustainable recruitment strategy.
Types of Institutions and Skills
Understanding the various learning institutions employers partner with and their differences is essential to determine which will be more beneficial for employers to recruit from. A university generally refers to a larger higher education institution that offers both undergraduate and graduate programs. They often have an emphasis on conducting research.
On the other hand, a college is often smaller and usually refers to community colleges, technical schools and liberal arts colleges. They typically only focus on undergraduate studies. A trade or vocational school offers programs that can be completed within one or two years and focus on a career-intensive curriculum with hands-on experience.
Just as there are various learning institutions, there are different skill sets employers may want to seek out depending on their industry or organization. In some cases, many may desire workers with an undergraduate degree or master’s degree; other companies may be interested in trade talent or specialized skills.
The Opportunity and Benefits
The opportunity to build a continual talent pipeline is there and will remain. The U.S. Bureau of Labor Statistics reported the following about graduates (ages 20 to 29) in 2021:
- 3 million earned a bachelor’s degree.
- 371,000 completed an associate degree.
Keep in mind that these statistics don’t include other age ranges, many of whom could be graduates—and great potential employees.
Educational institutions have been providing employers with high-quality talent for a long time. Still, there are reasons to amp up those efforts and explore additional ways to throw a wider net for entry-level candidates.
Consider the following benefits of targeting and hiring candidates via universities, colleges and trade schools or from different sectors or even roles:
- Continuous supply of candidates—Universities and colleges offer talent continually; multiple groups of students graduate in a given year. As such, employers can connect with new graduates several times throughout the year.
- Fresh, transferrable skills—It can be beneficial to hire someone with solid communication, leadership, teamwork and problem-solving skills instead of focusing on years of industry experience. This is because employers can offer learning and development opportunities to help such employees learn about the industry, department or role. For example, some liberal arts colleges may focus heavily on writing and thinking skills, which apply to many positions and may not necessarily be able to be taught in the workplace.
- Increased innovation—A candidate outside your sector won’t have industry fatigue and is positioned to bring fresh ideas to the workplace. Employees new to an industry tend to be more adaptable and open to new ways of working. This fresh perspective can push organizations out of their comfort zones and help them consider innovative or competitive approaches. Universities and colleges generally stay up to date, so students are poised to bring in the freshest ideas and forward-thinking perspectives.
- Improved employer branding—Organizations can build a renewed perception of their employer brand by building their brand within university and college settings. Campus recruitment is a great way to reach a wider audience for the organization’s brand.
- Diverse talent pool—Hiring candidates from various universities and schools can help an organization expand its candidate reach and find potential employees of varying backgrounds.
While experience and industry knowledge have their places in recruitment and hiring, it can be beneficial for organizations to hire talent from outside their industry or consider candidates with the right skills but not enough experience yet.
University and College Recruitment Strategies
Employers looking to expand their recruiting reach should review the following considerations to sustainably engage candidates in a learning environment:
- Attend in-person events. Especially before the pandemic, many university recruiting strategies relied on visiting select campuses to recruit entry-level candidates. This is still a successful strategy for employers to engage and connect with candidates on campus. Most universities and colleges hold in-person career fairs.
- Actively recruit virtually. An organization hiring remote or hybrid workers can leverage online platforms to engage with candidates and bolster their company’s brand. But it takes more than simply establishing online accounts; employers should be proactive and promote that they are open to hiring outside candidates since they offer learning and training opportunities. Additionally, online portals (e.g., Handshake) can help employers connect with students where they are and start personalized recruiting conversations.
- Participate in virtual recruiting efforts. Many universities have integrated virtual learning, and using that same approach for entry-level recruiting is effective. Virtual recruiting is an efficient way to broaden and diversify the recruitment reach for college students. Virtual career fairs will likely be hosted by colleges, trade associations or other organizations. Alternatively, a virtual event or webinar may be focused on a particular industry, profession, experience or geographic area, which can help recruit mid-level and senior positions or other nonuniversity candidates.
- Build relationships with stakeholders. For a partnership to succeed or be impactful, employers must develop long-term relationships with institutional stakeholders, such as career centers and professors. Employers may find through a quick phone call or email that career centers, for example, will be very receptive to learning more about an employer’s opportunities and establishing a relationship.
- Establish an internship or apprenticeship program. Such programs can be a strategic way to get talent in the door early and provide candidates with real-life experience. Ultimately, employers will also know if candidates have the necessary skills and if they are a good match for the company culture. Candidates may also be more likely to select a full-time employer they’ve already worked for in a less permanent capacity. An internship or apprenticeship program allows an organization to show off its workplace culture and career opportunities to rising top talent.
- Offer learning and development opportunities. Regardless of industry or age, today’s workers want career growth opportunities. Learning and development opportunities can help employees become better at their jobs and overcome performance gaps due to a lack of access to knowledge or skills. Remember that training only fills a gap, whereas professional development focuses on long-term employee and company growth.
Recruiting from higher education institutions relies on establishing effective relationships with educational institutions and identifying and engaging with suitable candidates that can bring value to the workplace and grow in a career there. Recruitment can be a mutually beneficial opportunity for both employers and universities.
Summary
Suppose employers are having a hard time finding qualified candidates. In that case, they could consider expanding their recruitment reach by pursuing entry-level workers from universities and other types of higher education institutions. New energy and fresh perspectives from recent and soon-to-be graduates can help organizations innovate and develop a strong workplace culture.
Contact RISQ Consulting today for more information and help finding ideal candidates for your company.
- Published in Blog
Career Gap in Resume? Nearly Half of Employers Believe You Are an Untapped Talent!
By Casey Kirkeby, Strategy Consultant
Nearly half of professionals changed their job last year. The other half either stayed where they were, went part-time, or took a leave of absence from the workforce altogether citing a variety of reasons. Where does that leave employers? They need people and they need them now!
According to this 2019 SHRM article about evaluating employment gaps, Peter Yang, CEO and co-founder of ResumeGo, a résumé-writing service, was quoted as saying, “Those with gaps in their work history run the risk of being seen as lazy or unfocused with their careers, and not as an in-demand asset in the eyes of potential employers.” After 3 years and a Pandemic, you don’t have to be embarrassed or sheepish about it as much. More than ever, people have taken breaks to either focus on family or mental health.
Some hiring and résumé experts say the current labor shortage, as well as the pandemic’s personal toll on workers, has made recruiters more receptive to applicants with gaps in employment. A recent survey by LinkedIn found that “nearly two-thirds (62%) of employees have taken a break at some point in their professional career, and just over a third (35%), mostly women, would like to take a career break in the future.”
My advice if you are looking for a job in the current market? Don’t be afraid to tell the truth about your work history. The market is ripe for the picking and there are plenty of jobs to choose from, so shine like you never have before, because employers want talented people just like you! Make it a choice you feel good about as you advance forward in your working (and sometime not working) life.
I’d also like to plug my workplace because we are hiring and here are our current job postings RISQ Consulting Job Posts. Happy Hunting!
Article: https://www.morningbrew.com/hr/stories/2022/03/04/don-t-mind-the-career-gap
- Published in Blog