First and foremost, it’s important to have a policy on how you want individuals to respond to suspicious activity whether it be on-site, over the phone, or on the computer. The next step is to make sure policies have been clearly communicated. It’s also important to openly reward the individuals who follow them and have a training plan for folks who fall short. Specific examples and ideas are included below.
One of the best ways to protect against vishing attacks is to have a way to confirm with whom you are speaking. Best practice says no one should provide any information to an unknown caller without first verifying their identity. When in doubt, ask the caller for more information. If the caller cannot give you the information needed to verify them or has a great story as to why they can’t, it’s important to stick to policy and inform the caller that you can not release the information until you are able to confirm their identity.
Ask for name, company, title, and phone number to call them back. In some cases, the malicious caller will disconnect when asked specific questions (especially if vague answers are met with a repeat of the question) or if placed on hold. Be aware though, that more advanced attackers will have a legitimate number to call back, so verification of that number may be a necessary step.
If the call appears to come from an internal source, it’s best to verify an employee ID before answering any questions to be on the safe side as malicious attackers will often use spoofing technology. Make sure all employees are aware of what information tech support or HR are allowed to ask for on the phone or in what way they will be required to verify themselves.
One important aspect of protection against impersonation attacks is an awareness of one’s surroundings. A clear understanding of who should be in the facility and the requirements for entry is critical. Attackers take advantage of fitting in and rely on the politeness or lack of attention of the target population.
One way to protect yourself against someone impersonating tech support in order to gain physical access to your computer, is to know who your tech support person/company is and how to verify them as an employee. This means having a policy in place for employees to follow and also training them how and when to use it. It can be as simple as a two-sided badge with a verifiable ID number on the back of tech support badges or as complicated as setting up a ticketing system for tech support visits.
These attacks are hard to avoid but with a security policy employees can stick to and some practical training, this vector for attack can be controlled. One way to stop this attack is to limit the reception of deliveries to a secure reception area. Never allow delivery people to take items directly to a designated employee or area. If a delivery person must walk into your building, have them escorted to their destination and back, and do not leave them unattended. Although with proper planning an attacker can fake an ID card, many will still not have the proper credentials to back it up. If you are still unsure if a person is who they say they are, call their company. The company will be able to tell you if they are in fact an employee and are scheduled to make a delivery.
There are a few ways to keep from falling victim to USB drops/plants. First, as stated previously, know how to verify a tech support person/company and if there is a policy that states whether or not tech support are allowed to use USB drives. Second, don’t use USB drives or CDs that are found anywhere in or around the office. Companies can allow employees to turn in USB drives found in or around the office to a specific location (usually in-house tech support if available). Businesses can also create a group policy to block recognition of USB drives on all corporate computers and then manage the settings to do so.
The best way to protect against these types of scams is to not open anything that seems suspicious to you. Technical support will NEVER ask for your username and password since they can access this information if they need to (which they shouldn’t).
There are excellent phishing awareness programs available to educate users on the items to look for in a suspicious email (such as checking spelling in URLs and hovering over links to see where they really go) and to test users on how well they spot a phish.