Know Your Enemy

1. Scareware is an example of social engineering that scares users into giving away company info or acting against intuition based on fear. Scareware is often done through pop-ups on the user’s screen often warning that files or software has been infected. The pop-up will then prompt you to pay to fix the “issue” and once you have paid it infects your computer with malware programmed to steal your data. https://www.fortinet.com/resources/cyberglossary/scareware#:~:text=A%20common%20scareware%20definition%20is,spread%20through%20spam%20email%20attacks.
2. Tailgating is a social engineering tactic that allows an attacker to gain physical access to a location with secure data by manipulating the way humans interact with each other. Tailgating is when an attack follows an employee into a key-carded door or secure area only for employees by acting like an employee that maybe forgot their key or badge. For example, one of your employees is asked to work on your data servers in another building, and while on the way there a “new hire” meets up with them and claims they don’t have their badge yet but was told to work with you for the day, without checking with your boss you allow them to follow you into the server room.
   https://www.knowbe4.com/what-is-social-engineering/
3. Vishing is phishing that happens over the phone. Callers try to extract PII details to use in crimes. The goal is to gain access to accounts or often banking information, however in this case it would be to access our company’s files via a user account. An example of this might be a caller stating they are IT and need a user’s account username and password so they can fix an issue with their account.                                                    https://terranovasecurity.com/what-is-vishing/
4. Baiting is the low-hanging fruit of the social engineering tactics, literally. Baiting is a method of offering a susceptible employee something they may be interested in. This can be on a disc, USB drive, or other readable media. For example, an attacker leaves a USB drive in the parking lot of the company office, an employee sees this flash drive, and written on it are the words “layoff plan” Obviously she needs to see if she is going to be laid off. She inserts the drive into her PC and is instantly hit with ransomware or a keylogger that has taken over her PC and stolen company data.                                                https://www.knowbe4.com/what-is-social-engineering/
5. Spear phishing focuses on a small very specific targeted group, typically very vulnerable employees. This attack is to gain access to organization data. Spear phishing is done after research on the targets and is personalized for the victim to make them do something against their best interest. An example of this attack might be to send a CFO an email with the subject invoice or something like that, attach malware that looks like a PDF invoice, and when they click it thinking it’s something they need to record and file it’s a keylogger or malware to access your companies’ data/servers.                           https://www.knowbe4.com/spear-phishing/

Know Yourself

1. Scareware- Employee education and awareness is the most effective method of preventing scareware. If a person knows what to look for and avoid, they will no longer click on these malicious links and pop-ups.

https://www.fortinet.com/resources/cyberglossary/scareware#:~:text=A%20common%20scareware%20definition%20is,spread%20through%20spam%20email%20attacks.

2. Tailgating- Key cards / badges that are required for access are the most effective way of eliminating this issue, combined with employee awareness this issue can be effectively put down to 0% chance. 

https://www.knowbe4.com/what-is-social-engineering/

3. Vishing-Call screening is an easy way to reduce this problem, scanning calls and recognizing when they are coming from a well-known malicious number or are spoofed, as well as educating users to keep PII secure at all times is a great way to reduce this issue.

https://terranovasecurity.com/what-is-vishing/

4. Baiting- Most pcs in modern use do not have DVD drives, effectively eliminating DVDs as a way to bait someone especially at work. USB drives however still exist, luckily IT departments have the access to block data transfer from USB devices to pcs.

https://www.knowbe4.com/what-is-social-engineering/

5. Spear Phishing- Email Filtering and Authentication is also a good combatant, if your servers do most of the heavy lifting in making sure these emails are never delivered it will greatly reduce the amount of phishing within your company.

https://www.knowbe4.com/spear-phishing/

Develop A Strategy

1. User Education is vital to making sure that your staff know exactly how to handle and avoid each of these situations. Trainings and seminars fall into this.
2. Using a firewall as a preventative measure creates a barrier for bad data while allowing good data to be sent to whomever it needs to be sent to.
3. Disable USB allowance in firmware and domain settings to ensure no one can manually install any bad data into the company system.
4. Using privacy screens on monitors can be a good way to keep a passerby from seeing sensitive information on another person’s computer.
5. Making sure that people are following company policies on company devices and having monitoring systems for these devices so if someone is doing something inappropriate it is logged.