It’s not just deep-pocketed corporations that prove attractive targets for social engineering. Any organization that holds information that can fetch a good price in the criminal marketplace will draw the attention of social engineers.
According to Risk & Insurance, a case in point may be found in community associations. They hold a great deal of personal data: names and addresses of their members, and often those members’ Social Security numbers, bank accounts, and credit card information. The value of these data in the criminal-to-criminal market is obvious.
Moreover, those data can all too often be poorly protected. Kevin Davis, president of Kevin Davis Insurance Services, told Risk & Insurance, “These groups are prime targets for cybercriminals due to their low-tech systems housing sensitive information…. Many do not have a risk assessment plan to identify system vulnerabilities, nor do they have a documented security-incident response plan. Once criminals get inside the community association system, they have easy access to social security numbers, banking information, email addresses, client information, anything that will create serious problems for the association.”
The article outlines five approaches criminals commonly use against community associations. Impersonation scams, whether by email or by phone, are often seen. “One of the most common types of social engineering scams in recent years is when fraudsters impersonate the U.S. Social Security Administration (SSA),” Davis said. A second risk is ransomware, usually installed when a worker is induced to click a malicious link. A third risk is posed by a lost or stolen device, since some associations overlook best practices in protecting such devices. Weak passwords, for example, are all too common. The fourth threat is business email compromise. And the fifth is a general risk shared by many businesses and other organizations: remote work increases exposure to compromise.
The article concludes by recommending a range of best practices. We’ll add one: training. New-school security awareness training can equip members of any organization with the tools they need to recognize and fend off social engineering.