March 1, 2017
An accounting executive gets a hurried email:
We have a problem.
The McGowan Deal is held up. Now we need to pay $600,000 in customs fees! Otherwise the whole thing is over and the last eight months will have been for nothing. I know this is the eleventh hour, but please push this through for me or this deal is dead. I will send the wire transfer details over shortly.
You’ve always gone the extra mile for me and I know you can save us now.
CEO, ACME Corporation
It’s from the big boss, an old college friend and long-time mentor. Time is of the essence, the executive is under tremendous stress, and he doesn’t know what to do. Releasing the funds straight away is against company policy, but this is a time-sensitive matter. The executive needs to step up…rules are meant to be bent sometimes, right? Twenty minutes later, the wire transfer details come in. The money is transferred and the executive takes a sigh of relief.
Just one problem: there was no customs fee. Shit.
No, your grandfather wasn’t involved and there wasn’t a rickety wooden boat. This was a phishing attack. This particular type of scam is known as a Business Email Compromise (BEC). Criminals will impersonate high-profile targets and send messages trying to trick their victims into wiring large sums of money to their account. These scams often rely on feigned authority, timeliness and sometimes even social pressure to trick victims into sending money overseas. By the time the victim realizes what happened, the money is already gone and the victim is scratching their head, wondering what happened.
The FBI estimates that more than $2.3 billion has been lost since October 2013 in BEC, but that’s just one piece of the phish pie. BEC scams come under the umbrella of phishing attacks, which use deceitful emails and other communications to extract sensitive information from people. All said and done, phishing attacks are estimated to cost the world $4.6 billion, according to an RSA report. Sadly this phish pie is part of an even greater pie (all these layers are starting to remind us of the movie Inception) called social engineering. Unlike rhubarb, social engineering uses psychological manipulation to get people to divulge personal details or restricted information.
When discussing social engineering, it’s best to use a common language when talking about the different types of social threats that we face.
Phishing is any attempt to acquire sensitive information through electronic communication, such as credit card or login details. There are many different types, but the most devious ones are:
This is a more crafty type of phishing than those mass spammed emails that we are so used to. It involves the attacker obtaining private information, then sending tailored emails to a small group of people. Spearphishers use these personal details to convince the victim that they are legitimate. Although it takes much longer to craft these attacks, those impacted are much more likely to fall for the attack in comparison to a standard phishing scam. These messages are less likely to be caught by spam filters, because they aren’t mass emailed. The BEC scam mentioned above is an example of a spearphishing attack, but it is also referred to as whaling because their sights are set on high profile targets.
In this type of attack, you will receive a message pretending to be from your ISP or another service provider. It will ask you to log in through a different portal or send through some personal information. Often, they include an element that makes them time-sensitive, such as the recipient receiving benefits or incurring charges. Your actual providers will never ask you for information in this manner, so that’s the first red flag. Other easy giveaways are IP addresses in hyperlinks or really generic greetings.
A cousin of phishing, pharming involves a hacker taking over a website domain name and directing users to a fake site. Upon arrival, potential victims are asked to hand over personal details or other sensitive information. Many internet security products will block these kinds of suspicious websites, but sometimes they slip through.
Pretexting is the act of tricking people into divulging personal information under false pretenses. One example of this might be someone calling you to complete a survey—one that acquires seemingly harmless information. Other versions of pretexting will assert that the scammer needs additional information to identify the victim. Whether you are divulging seemingly innocuous information or sensitive information, the information garnered from pretexting can be used to steal your bank accounts, credit card numbers, medical records, and much more.
Everyone likes free stuff, and that’s where baiting catches us. A baiter will offer something like free downloads if victims enter their username and password. These attacks aren’t limited to the online world either, as giveaways are a tried-and-true way of getting people to willingly hand over information. Why do you think so many companies hold competitions as part of their marketing?
Do you have restricted areas? You might think that you are being helpful by letting the UPS guy in, but it could also be a conman who is trying to break inside your building. This is called tailgating and it’s a common method for tricksters to enter secure areas.
Be skeptical of someone offering you help that seems too good to be true. It could be a quid pro quo attack. These often come in the form of someone offering you a service, like a scammer offering to fix an IT problem. Instead of fixing it, they will use their access to install malware.
This is where it all starts. There are so many different attacks that your organization is susceptible to, so you need a comprehensive plan to be able to manage your risks effectively. This involves analyzing your risk profile and the particular scenarios that are most likely to play out in your environment. For example:
– Do your employees have remote access to critical systems?
– Are employees allowed everywhere in your office, or just specific areas?
– What does your screening process look like?
People are the weakest link in your security plan. Contrary to popular belief, it’s not the systems that compromise your data, it’s the employees. This isn’t to say these people have malicious intent; often they are too kind or helpful and are thus more likely to be taken advantage of. Learn more about our training programs to help keep your employees diligent when it comes to managing risk. Knowing the difference between who you let into your building and which links you shouldn’t click on might make the difference between a rolling of the eyes and a newsworthy breach.
Most people never consider how much information is in their trashcan. Think about all of the things we throw out that have our personal information scribbled all over them. Companies do the same thing. If you don’t want that information winding up in the wrong hands you’ll need an effective waste management system that includes shredding sensitive documents and locking your garbage.
You will often be shocked how easy it is to breach your security perimeter. One of the classic stories of network security involves Steve Stasiukonis, of Secure Network Technologies, and his team scattering a bunch of USB drives in the parking lot of a client. Curious employees picked them up and plugged them into the work computers. They weren’t aware that those USBs had keyloggers, which soon meant that Steve also had their login details.
Feeling concerned that you may be more susceptible to attack than you originally thought? We’re happy to work with you to find out if your sneaking suspicions are true.