Cyber attacks come from many different avenues. Some attacks are more common than others, but those that are rare can also be more complex and convincing.

So what are the most common types of attacks that target employees?

Phishing

The most common cyberattacks on employees are phishing attacks.

These aim to gather credentials that allow attackers to easily infiltrate your system. Attackers often gather credentials by impersonating individuals inside or outside your company.

Phishing begins by delivery through email 91% of the time. Malicious links are also delivered through social media. 62% of phishing simulations capture at least one user’s credentials.

Phishing Definition

The actual definition of phishing is “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.”

In laymen’s terms, someone tries to get your information by pretending to be real or powerful.

Often, these are blast emails sent to the entire email system of an organization. The intent is to fool somebody. Anybody.

Large-scale attacks aiming for a single success are known as “barrel phishing.”

Targeted phishing also exists, called “spear phishing.” Specifically, “whaling” is when an attacker impersonates a company’s CEO.

What are common indicators of a phishing attempt?

If an email seems unnecessarily urgent (“Can you meet right now?” – The CEO), there is a chance it is phishing. Do you normally meet with the CEO?

This sense of urgency is to persuade employees to act fast and click a link without thinking.

Additionally, grammatical errors generally make their way into a lot of phishing materials. Most phishing emails are sent to large groups, without personalized at all in general.

Finally, consider that phishing emails are likely to ignore that person’s essence. If the voice and vocabulary do not sound like the person in the “from” line, there’s a good chance it isn’t.

How do you stop phishing emails?

The easiest way to stop phishing emails is by implementing a spam blocker. This will not keep out specialized attacks. But it is an easy way to keep some of the lowest-hanging fruit out of your inbox.

The best way to stop successful phishing emails is cybersecurity training for employees.

Teaching employees to see the signs laid out in the previous section, as well as how to recognize a spoofed URL, is key.

Social Engineering

Not all cyberattacks start virtually. Some start offline and transition online once they establish an entryway. That said, social engineering can also happen online as well.

Social Engineering Definition

Social engineering is a form of attack that relies heavily on human interaction. Most often attackers manipulate victims to gain otherwise unauthorized access.

Attackers conceal their identities and portray themselves as being trustworthy or authoritative.

Social engineering can be easier than hacking a system directly. That is because of the prevalence of human error in allowing cyberattacks. One click or one door can make all the difference.

Most Common Forms of Social Engineering

Phishing is technically a form of social engineering. Concealing identities and the promise of a reward manipulate employees to act quick. The same can be said about offering trips, rewards, or gift cards.

Other forms of social engineering include diversion or theft. Sometimes attackers intercept deliveries or information by the purposeful deception of couriers.

“Water-holing” means infecting a central site where intended targets often visit. Visits could be common sites for information, e-commerce, or some other important need.

A physical form of social engineering is tailgating, or following someone to sneak into an area. Think of your favorite detective movie or show.

What is the primary countermeasure to social engineering?

The answer to counteracting social engineering is – you guessed it – cybersecurity training.

That said, there are other concrete steps you can take to thwart social engineering. By maintaining simple cyber hygiene, break-ins become difficult. Make sure to always secure valuable hardware and information

The biggest defense here is authorization and authentication control. Limit who can access certain information or areas. Doing so provides fewer possible avenues for bad actors to reach their target.

Even if you trust your employees, there is no added benefit to giving everyone access to financial or personal information. Only those who need information for work purposes should be able to access it.

Additionally, keep a secondary Wi-Fi network for visitors. This will keep unwanted users from your company network.

Ransomware

Phishing is a passive attempt at entering a company’s system. However, the following attacks are much more aggressive.

Enter ransomware.

Ransomware Definition

Ransomware is a malware attack that encrypts a user’s files until they make a payment to unencrypt them.

The attacker will threaten to delete the files or release private information found unless the victim pays the ransom.

Ransomware Examples

Many cases exist where ransomware has extorted inordinate sums of money from companies.

In July 2021, IT solutions developer Kaseya was targeted in an attack that preyed on a vulnerability in their software. Earlier in 2021, cybercriminals shut down a United States fuel pipeline in the DarkSide attack.

One of the largest ransomware attacks was the WannaCry attack in 2017. WannaCry’s targets included the United Kingdom’s National Health Service.

Other ransomware groups are REvil and Conti. Some software exists specifically for ransomware, like Ryuk, which targets large-scale companies.

How Does Ransomware Spread?

Ransomware often starts through that first phishing email. All it takes is one login credential to provide the access they need to take an entire database for ransom.

Otherwise, ransomware can move laterally throughout a company. Typically, ransomware attackers move through a compromised system by hijacking remote services.

It takes about 5 months for an attacker to infiltrate a system, spread internally, and either unveil itself or be detected.

How To Prevent Ransomware

Again, minimizing the chances of infiltration is the key to preventing ransomware. Be diligent about cybersecurity hygiene and be educated on cybersecurity best practices

Mobile Entry

Beginning in 2020, cyberattacks targeted more mobile devices than ever.

Due to the COVID-19 pandemic, remote work increased exponentially. Remote work also expands the attack surface for companies’ mobile devices drastically.

Cyber attacks on mobile devices happen almost exactly the way they do on in-office endpoints.

Remote workers are often on significantly less-protected networks than when in office. With the pandemic, many networks were retrofitted to allow non-company devices access to corporate data.

Cybercriminals adjusted, as they do.

As we have learned, human error is the main source of cybersecurity trouble. Thus, leaving more employees open to unsecured networks is a recipe for disaster.

There are many ways to reduce vulnerabilities on remote devices. Using a virtual desktop, a terminal server, or conditional access policies to name a few.

Additionally, having company devices that come pre-configured with security settings will ensure consistency.

Also, consider a Bring Your Own Device (BYOD) policy. BYOD policies ensure unauthorized employee devices do not make it onto your network. If these devices don’t have the proper security setup for your company, they put you at great risk.

Insider Threats

Sometimes the threat of a cyberattack can come from the inside of your company.

Access and authorization can be abused, especially in the case of disgruntled employees. Contractors or employees who are being off-boarded can also take advantage of access.

Imagine an already problematic employee being terminated with just cause. Perhaps this former employee wants revenge by stealing company data on the way out the door, planning to sell it for a profit. This is just one potential example of an insider threat.

Simple carelessness is also an insider threat. Occasionally, an employee will forget to lock their computer at the end of the day or send data to the wrong recipient over email. Maybe they use “qwerty” and “password” to secure their computers.

You can help reduce technology-associated insider threats by establishing strict conditional-access policies. Only allow employees to have access to the information that they need and lock them out of what they don’t.

This is the surest way to keep eyes and hands from the inside off company data.

Cybersecurity Policies

Enforcing strict cybersecurity policies essentially serves as long-term training. By enforcing cyber best practices, employees and managers grow their knowledge through action.

Of course, the primary function of cybersecurity policies is to keep your business protected in the present. If built out the correct way, your policies should be a win-win situation for everyone.

All companies should institute certain policies. Here are a few to consider implementing immediately.

Password Storage and Best Practices

Passwords are our gateways to information and places that we are authorized to access. Unfortunately, they can provide an avenue for others to access these things as well. Only if they are not properly attended to.

The first step to password safety is enforcing strong passwords. Enforce criteria like numbers, special characters, and length.

If employees are forced to use using long, unique passwords, they learn what a secure password looks like.

Passwords should be changed regularly and not shared with others.

With all the passwords people must remember, consider a password manager. This allows employees to store secure passwords across different platforms. No memorization required.

Some password managers will also alert you if your passwords are not secure or appear in a data breach. They will also send an alert if they notice passwords being repeated too often.

Keep in mind, saving passwords in your browser is not recommended. Consider using a password manager like LastPass.

Multi-Factor Authentication

The best defense against password loss is multi-factor authentication.

Often, multi-factor only consists of two factors: Something someone knows, and something they have. The thing they know can be a password or a security question.

The thing they have is likely to be a smart device that pushes a unique, rotating authentication code. It can also be biometric data, like a fingerprint. Bonus points for needing biometric data to open the authentication app.

By adding a single authentication factor, the chance of fraudulent access decreases immensely. This serves as more education simply through action.

Secure Browsing

The pages you and your employees visit are important to consider when it comes to cybersecurity. Luckily, most browsers will flag unsafe sites and point you away from them when you attempt to navigate there.

Unfortunately, cyber literacy is still not 100% among the workforce. Sometimes employers need to set boundaries for what sites employees can access from work devices.

It is important to teach employees what sites are not acceptable to access at work, and why. This may seem like a tedious task, but it remains necessary.

Additionally, teach employees to check for website security certificates. This can be done by double-clicking the padlock icon on the address bar of your browser. If no certificate or an unmatching certificate pops up, that site should be skipped.

You can also ensure you are visiting a secure site by checking the site’s URL begins with “https://” and not just “http://”.