Imagine: You receive an email from your company payroll department. The email confirms your request to change your direct deposit details for your most recent paycheck. You see that the paycheck has been deposited into a new account. The message indicates that your account has been successfully updated. One problem — you never submitted such a request. Racking your brain, you wonder if you somehow forgot making that request. A quick scan of your sent emails does not help. However, you think about an email you received maybe a few weeks ago. You find it in your Deleted Emails folder. Using suspicious grammar, the email vaguely refers to your company and the payroll department. Even though you opened it, you knew not to click on any links within the obviously fraudulent message and immediately deleted it, confident that you avoided another scam. Although you spotted this phishing attempt, someone in your payroll department clearly did not.
How do criminals use social engineering attacks to gain confidential information?
Social engineering attacks exploit human psychology to gain access to confidential or sensitive data. The classic examples include phishing (and it’s variant “spear phishing”), vishing, baiting, and scareware. Regardless of the type, all social engineering attacks boil down to gaining the trust of a victim to further infiltrate an organization. Trust is gained through seemingly legitimate communications sent from anyone that an attacker thinks will make you more likely to click a fraudulent link or hand over sensitive information to, including: bosses, co-workers, “tech support”, major corporations, and even close relatives or family. In the hypothetical example above, the attacker exploited the trust of the payroll department to carry out the attack. Also known as a Business Email Compromise, this type of scam accounts for $26 billion in domestic and international corporate losses. Since they rely on trust, some attacks can be easy to spot and prevent with adequate training and common-sense practices.
However, more complex attacks may be much harder to predict and can even rely on giving the victim a false sense of security through decoy social engineering attempts or through other advanced attack vectors. As in the hypothetical example above, the attacker most likely knew, and intended for, the initial email to be deleted. However, the email may have been a decoy. The attacker found out the one thing he needed to know – whether you still worked at the company or not — once you opened or deleted the email. Armed with this knowledge, the attacker could then proceed with spoofing a direct deposit change request to your company’s payroll department. If successful, as in this hypothetical scenario, the attacker could then funnel your paycheck into his account, among other malicious activities. Once the money is in an attacker’s account, it’s nearly impossible to get back due to the intricate web of shadow accounts cyber criminals often use.
What can you do to prevent or mitigate social engineering attacks?
Although not 100% preventable, organizations can increase their education and awareness to ensure they stay current of ongoing security risks. Cyber attackers are constantly innovating new techniques to exploit trust, which means the security professional must anticipate new attack vectors. This rings especially true for individuals in critical roles, such as CEOs, financial personnel, and even their assistants. Individuals with the capacity to pull the trigger on finances or make other, enterprise-wide decisions, should implement additional protections, such as a requirement to call an accountable individual offline before execution of a major transaction. Besides the human factor, vulnerabilities may present themselves inherently in an organization’s operations or structure. For example, an organization may implement adequate security protocols within its headquarters, but fail to communicate such policies and procedures to more geographically isolated branches of the organization. Due to the nature of social engineering attacks, the best prevention methods are training and common sense.
We’d love to serve as your cybersecurity partner.
Vala Secure can help you find the appropriate solutions to prevent and defend against social engineering attacks, so you are the hero of the office. Keep your employees and clients safe, and avoid the costs associated with breaches. Let’s craft a custom plan that works within your budget and goals to mitigate risk.