May 27, 2016
Hacking the Human: Social Engineering
by John Farley
Here are seven social engineering tactics that hackers are using to trick employees, along with eight defenses.
Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. Securing that data continues to be a challenge for organizations of all sizes and across multiple business sectors. Social Security numbers, W-2 forms, payment cards and intellectual property have significant value on the black market and provide motivation for hackers to steal.
Many corporate IT departments respond to these threats by devoting vast amounts of resources to technological defenses. Criminal perpetrators, however, seem to remain one step ahead of even the best cybersecurity efforts. They have altered their strategies by perpetrating human-based fraud. One emerging tactic involves what we have come to know as “social engineering.” This type of fraud occurs in a multi-stage process. Criminals first gather information, form relationships with key people and finally execute their plan.
By exploiting our natural tendencies to trust others, criminals have been highly successful in convincing people to hand over some of their most valuable data assets. In fact, according to the FBI, from October 2013 to August 2015, more than 8,000 social engineering victims from across the U.S. were defrauded of almost $800 million (the average loss amounted to $130,000.)
See also: Dark Web and Other Scary Cyber Trends
There are several methods of social engineering that are seen frequently, including the following seven:
- Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
- Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
- Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
- Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
- Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
- Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
- Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.
How to avoid being defrauded in the first place:
Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures, including these eight:
- Educate your employees so they can learn to be vigilant and recognize fraudulent behavior;
- Establish a procedure requiring any request for funds or information transfer to be confirmed in person or via phone by the individual supposedly making the request.
- Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
- Avoid free web-based email and establish a private company domain, and use it to create valid email accounts in lieu of free, web-based accounts.
- Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchical information and out-of-office details.
- Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
- Do not use the “reply” option to respond to any financial emails. Instead, use the “forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.
Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.
See also: Best Practices in Cyber Security
The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat because these incidents often involve the compromise of personally identifiable information, which can later be used for identity thefts from multiple people. This prospect for more theft will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. The thefts often then lead to litigation and significant financial and reputational harm to businesses. Costs can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.
Fortunately, the insurance industry has developed insurance policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers, while cyber insurance policies may cover costs related to unauthorized access of personally identifiable information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime policies to cover this situation.
Cyber insurance policies can be customized to offer coverage for the following:
- Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion or corruption of a third party’s electronic data; denial of service attacks against Internet sites or computers; or transmission of viruses to third-party computers and systems.
- Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information that had been entrusted to it in the normal course of business.
- Electronic Media Content Liability: Coverage for personal injury and trademark and copyright claims arising out of creation and dissemination of electronic content.
- Regulatory Defense and Penalties: Coverage for costs associated with response to a regulatory proceeding resulting from an alleged violation of privacy law causing a security breach.
- Breach Event Expenses: Expenses to comply with privacy regulations, such as notification and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm, outside counsel and forensic investigator.
- Cyber Extortion: Payments made to cybercriminals to decrypt data that has been encrypted by ransomware.
- Network Business Interruption: Reimbursement of your loss of income or extra expense resulting from an interruption or suspension of computer systems because of a failure of network security or system failure. Includes sub-limited coverage for dependent business interruption.
- Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.
In summary, businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and to mitigate the damages if they do. Turning your employees from your weakest link into your greatest assets in the battle is one way; risk transfer to insurance products is another.