A controller receives an email from her boss directing her to forward funds to a current vendor’s new address. Because it appears to be an internal email, she sends the money.
A few weeks later, the controller gets a call from the vendor’s accounts receivable department asking for payment. The email the controller received wasn’t sent by her boss; it was sent by a cyber-criminal. Unfortunately, this is not an isolated incident. It happens all the time, and the quality and creativity in the deception continues to evolve.
Defining Social Engineering
Social engineering is different from other forms of cyber theft, such as funds transfer fraud and computer fraud. The main difference is that social engineering involves the fraudulently induced, voluntary transfer of property (including money) by an insured. Both computer fraud and funds transfer fraud involve a third party who fraudulently transfers property, including money, either from a business or bank.
Human-based social engineering fraud, otherwise known as “human hacking,” is defined as the art of influencing people to disclose information and getting them to act inappropriately.
Some criminals consider it much easier to abuse a person’s trust than to use technical means to hack into a secured computer system. They have learned how to trick their targets into giving them information by exploiting certain qualities in human nature. They use various forms of communication, such as email, the Internet, the telephone and even face-to-face interactions to perpetrate their scheme of defrauding and infiltrating companies.
Social engineering attacks can take many forms and can be human or computer-based. However, security experts recognize that most scams follow a four-stage method:
- information gathering;
- relationship development;
- exploitation; and
This methodology, along with the tendency for humans to be the weakest link in the security chain, creates a vulnerability that can have a serious operational impact. According to Check Point Software Technologies, nearly half of global businesses surveyed reported being the victim of one or more social engineering attacks that resulted in losses ranging anywhere from $25,000 to $100,000 per occurrence or more.
Because social engineering is a threat, it is essential that all employees be educated and trained on how to detect and prevent this type of fraud. Companies also need to develop and implement specific policies to prevent and respond to an attack, such as training for employees on what constitutes confidential and sensitive information and how to keep it safe. Companies are advised not to focus their efforts and security budgets entirely on defending against technical attacks from hackers and other electronic threats, thereby underestimating, or even entirely overlooking, the system weaknesses posed by the human element.
The first step is to understand the various social engineering strategies employed by cyber thieves.
- lmpersonating/Pretexting. This common form of deception may involve an attacker using a believable reason to impersonate a person in authority, a fellow employee, IT representative or vendor in order to gather confidential or other sensitive information.
- Phishing/Spamming/Spear phishing. Phishing can take the form of a phone call or email from someone claiming to be in a position of authority who asks for confidential information, such as a password. Phishing also can include sending emails to organizational contacts that contain malware designed to compromise computer systems or capture personal or private credentials.
- IVR/Phone Phishing (aka Vishing). This technical tactic involves using an interactive voice response (IVR) system to replicate a legitimate sounding message that appears to come from a bank or other financial institution and directs the recipient to respond in order to “verify” confidential information.
- Trash Cover/Forensic Recovery. Attackers collect information from discarded materials such as old computer equipment (e.g., hard drives, thumb drives, DVDs, CDs) and company documents that were not disposed of securely.
- Quid Pro Quo. An attacker makes random calls and offers his or her targets a gift or benefit in exchange for a specific action or piece of information with the goal of rendering some form of assistance so that the target will feel obligated in some way.
- Malware-Infected Device. A common method of baiting involves leaving an innocent looking, malware-infected device (e.g., a USB drive, CD or DVD) at a location where an employee will come across it, and then out of curiosity will plug/load the infected device into his or her computer.
- Tailgating/Direct Access. Attackers gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has business with the company. The attacker may state that he or she left security credentials inside the facility or at home if challenged by an employee while entering the facility.
- Diversion Theft. The methodology in this attack involves misdirecting a courier or transport company and arranging for a package or delivery to be taken to another location.
In addition, social engineers will focus their attention on locating vital data, such as account numbers, phone and client contact lists, organizational charts and other information on key employees who have access to privileges and computer system details (on servers, networks, intranets, etc.) during their information-gathering phase. They also have been known to go after tangible property, such as keys, access cards and identity badges, especially in cases where their method of operation is through direct access.
The second step is to develop a plan for mitigating the effect of social engineering attacks. It should include a component for raising awareness among employees and educating those who are most vulnerable: new hires, help desk personnel, contractors, executive assistants, human resource personnel, senior managers and executives, as well as information technology employees who handle technical and physical security. It is not enough for a workforce to simply follow a policy guideline; employees must be educated on how to recognize and respond to an attacker’s methods and thus become a “human firewall.”
Key Mitigation Measures
A proper training program should include the following measures.
- Conduct a data classification assessment, identifying which employees have access to what types and levels of sensitive company information. Know who the primary targets of a social engineering scheme are likely to be. Remember: All employees are at risk.
- Never release confidential or sensitive information to strangers or anyone who doesn’t have a valid reason for having it, even if the person identifies himself as a coworker, superior or IT representative. If a password must be shared, it should never be given out over the phone or by email.
- Establish procedures to verify incoming checks and ensure clearance prior to transferring any money by wire.
- Reduce the reliance on email for all financial transactions. If email must be used, establish call-back procedures to clients and vendors for all outgoing fund transfers to a previously established phone number, or implement a customer verification system with similar dual verification properties.
- Establish procedures to verify any changes to customer or vendor details, independent of the requester of the change.
- Avoid using or exploring “rogue devices,” such as unauthenticated thumb/flash drives or software on a computer or network.
- Be suspicious of unsolicited emails and only open ones from trusted sources. Never forward, respond to or access attachments or links in such emails; delete or quarantine them.
- Avoid responding to any offers made over the phone or via email.
- If it sounds too good to be true, then it probably is. This could include unsolicited offers to help solve a problem, such as a computer issue or other technical matter.
- Be cautious in situations where a party refuses to provide basic contact information, attempts to rush a conversation (act now, think later), uses intimidating language or requests confidential information.
- Physical documents and other tangible material, such as computer hardware and software, should be shredded and/or destroyed prior to disposal in any onsite receptacles, such as dumpsters.
- Proactively combat information security complacency in the workplace by implementing internal awareness and training programs that are reviewed with employees on an ongoing basis. This includes developing an incident reporting and tracking program to catalog incidents of social engineering and implementing an incident-response strategy.
- Train customer service staff to recognize psychological methods that social engineers use: power, authority, enticement, speed and pressure. If it is important enough to move quickly on, it’s important enough to verify.
- Consider conducting a recurring, third-party penetration test to assess vulnerabilities, including unannounced random calls or emails to employees soliciting information that should not be shared.
- Guard against unauthorized physical access by maintaining strict policies on displaying security badges and other credentials and making sure all guests are escorted. Politely refuse entry to anyone “tailgating.” Keep sensitive areas such as server rooms, phone closets, mailrooms and executive offices secured at all times.
- Monitor the use of social media outlets, open sources and online commercial information to prevent sensitive information from being posted on the Internet.
As social engineering fraud schemes become more prevalent and sophisticated, instituting a countermeasure program makes good business sense.