Ninety-eight percent of cyberattacks involve social engineering fraud (2021 Cyber Security Statistics – The Ultimate List of Stats, Data & Trends. Purplesec.)The attacks start with emails, texts or calls requiring urgent action. Attackers often pretend to be someone in senior management, needing immediate access to corporate funds, intellectual property or product data. They want your company’s funds, account information, access to personally identifiable information or tax forms.
One careless response turns an individual’s email address into a portal to your network and company assets. Because of this, it is imperative to have employee engagement to maintain a robust defense against cyberattacks. Protecting your company against social engineering fraud must include education and training. Teach your employees to identify these attacks and respond appropriately.
Education starts with awareness. Below we will summarize the most widespread forms of social engineering fraud:
Business Email Compromise (BEC) Scams Slip Past Cybersecurity
If your company does business and transfers funds to suppliers, then you’re a BEC target. Cybercriminals zero in on the email accounts of senior management or financial officers. They look for new employees, who may not be fully briefed on cybersecurity policies. BEC scams avoid mass mailings, so they aren’t flagged as spam. They don’t rely on malicious links or attachments, evading malware detection tools.
Hackers research their targets and time their attacks. They know when people want to go through their email quickly. So, an email appears in your inbox late at night, requesting an expedited payment to a long-time supplier. You transfer the funds to a fraudulent account, but by the time you realize you’ve been scammed, it’s too late.
BEC scams work because a company’s cybersecurity policies depend on compliance and critical thinking. To address these, support employee engagement with stronger cybersecurity practices, which include:
- Multi-factor authentication — In addition to a password, multi-factor authentication may require a PIN, security code or biometric. This makes unauthorized email access more difficult, encouraging cybercriminals to look for companies with weaker defenses.
- Require verification — This should be the standard operating procedure. Confirm email requests for funds or data in person or with a phone call to a known number.
- Look for unusual activity — Be suspicious of email outside of normal business hours, requests to use personal email addresses or other deviations from the norm. If something is different, find out why before you respond.
Pharming — Malicious Code Takes Over Devices
Pharming installs malicious code on devices, redirecting employees to fraudulent websites. Employees key in personal information, such as credit cards numbers or bank account information. Cybercriminals then harvest the data for identity theft.
Pharming attacks come in different forms. In one version, a code embedded in an email modifies local host files on devices. These files convert Uniform Resource Locators (URLs), redirecting employees to fake sites. This type of cyberattack is difficult to detect, as it redirects users even when they use bookmarked sites or type in a URL.
High-quality spyware removal programs can help, but users must be careful and vigilant, blocking pop-up ads and cookies.
DNS poisoning is another widespread form of pharming. This type of cyberattack modifies server DNS tables, redirecting users to fraudulent sites. Employees may think they’re sharing personal information or financial data with their bank, but they’re actually funneling sensitive information to criminals. Spyware removal software can’t detect this type of pharming, because the problem isn’t in the device.
Virtual private networks (VPNs) provide an effective defense against pharming, encrypting connections and shielding IP addresses. Employees should make sure to update their device operating systems and software. These updates correct vulnerabilities in the never-ending war against hackers. Clearing the browser cache on a regular basis will also help.
Spear Phishing — Precisely Targeted Cyberattacks
Phishing is the most common form of cyberattack. The FBI’s Internet Crime Complaint Center logs more than twice as many phishing incidents as other types of cyberattacks. Spear phishing is its lethal offspring, selecting and targeting specific individuals within a corporation.
These attacks typically appear as emails with attachments. The emails include detailed information, which makes them appear legitimate and increases the likelihood of compliance. An employee opens an email and its attachments, transferring funds or other assets, such as IP or financial data.
Cybercriminals research their spear-phishing targets carefully. Education and training can help employees recognize the signs of these attacks and respond accordingly:
- Unusual, unexpected or urgent emails call for verification. The email recipient should confirm the email’s legitimacy, with a phone call or in-person conversation.
- Don’t open links or download attachments, especially from unfamiliar senders.
- Use hosted email with robust security standards and protection from junk mail.
Whaling — Targeting Senior Management for Higher Stakes
Whaling uses spear-phishing tactics to target senior management. These individuals may be less tech-savvy than their employees, leaving them vulnerable to cyberattacks. A CFO, for example, may receive multiple emails from other members of senior management every day. One evening, an email comes in from the head of sales. He’s at a tradeshow in Tokyo and asks for a funds transfer or spreadsheet of closely held data. The attacker has customized the email with personalized references, and it appears legitimate. The CFO sees the email signature, has no problem with the request and complies. The funds or data go to a fraudulent email address and disappear.
How do you handle whaling attacks? You teach senior management to be vigilant, detecting and recognizing unusual requests that appear routine. They should also learn to be careful on social media, particularly when sharing personal data that hackers can repurpose. You can bolster their efforts with some changes in cybersecurity policy:
- Flag external emails for review — Your IT department should recognize external emails and flag them for review. Our hypothetical CFO will see that the email from the head of sales actually came from outside the network. This defeats the cyber attacker’s social engineering tactics.
- Install anti-phishing software — This software screens URLs and validates links to detect fraudulent activity. You can fortify this approach with a corporate policy that requires additional validation before transferring funds or data. This can be as simple as an in-person meeting or a phone call.
- Additional signoffs for electronic transfers — Social engineering fraud preys on trust. Our CFO has worked with the head of sales for ten years. The treasurer, on the other hand, doesn’t know the head of sales. Suspicion leads to a request for clarification and confirmation, which stops the attack.
Vishing — The Attacks Come as Phone Calls or Voice Mail
You’re tightening up your cybersecurity defenses against email attacks. Don’t forget about vishing, or “voice phishing.” These are phone calls or voicemails using tried-and-true social engineering tactics to steal funds or data. According to Truecaller, a global platform for contact verification, vishing scams in the U.S. netted $29.8 billion in the last year.
Vishing cons people into sharing personally identifiable information, phone numbers and credit card numbers. Attackers tell you that you have a problem, but they can solve it. They claim to be with tech support, your bank or hosting provider. You’re concerned or distressed, but they can help — all they need is some information to get started. It’s an old-fashioned confidence trick, grafted onto twenty-first-century communications technology.
Fortunately, there are basic, zero-cost ways to defend against vishing:
- Demand authentication — If your caller needs information, they’ll be happy to have you call back. A quick online check can confirm their contact information.
- Don’t share sensitive information with callers — The Social Security Administration and the IRS don’t call and ask for information. They use the U.S. Postal Service.
- Send calls from unknown numbers to voicemail — If you don’t recognize the number, send the call to voicemail. If the caller is genuine, they’ll leave a voicemail with a number to call. You can verify this number with a third-party source.
The Federal Communications Commission (FCC) started cracking down on vishing and robocalls in June 2021. Do your part by cultivating a healthy sense of skepticism among your employees.
Smishing — Phishing Via Your Smartphone
As more companies implement bring your own devices (BYOD) policies, smishing has become a more significant business threat. Smishing uses short message service (SMS), or texting. This is the most common use of smartphones, which makes it prime real estate for cybercriminals. Like SMS, smishing crosses platforms. Malware installed on an employee’s personal mobile device can access corporate date.
Android devices are popular targets for smishing, because of their widespread use. However, employees who use Apple’s iOS mobile technology can’t afford to feel secure. They may be fewer in number, but their mobile operating system is equally vulnerable to cyberattacks. Cybercriminals know that their targets can be wary of email scams but worry less about their smartphone security. You’re often distracted when you’re on your mobile, so it’s easy to respond automatically to a text from your bank.
You provide the personal information the bank asks for, but you’re really sending it to cybercriminals. Maybe you open a link and download malware. Sharing personal information now sets up identity theft and the malware infects your company’s network.
Like any confidence trick, smishing relies on the victim’s cooperation. This means there are various no-cost, effective ways to protect yourself. They include:
- Don’t respond to suspicious texts — Decline to participate in the scam and cybercriminals will move on to a more cooperative victim.
- Ignore texts asking for account information — Financial institutions will never ask you to share personal information via text or email.
- Don’t store financial data and credit card numbers on your mobile device unless you are using an encrypted password manager,
A Well Educated, Trained Workforce is Less Vulnerable
Effective cybersecurity uses controls for people, processes and technology. Installing the latest malware protection won’t work without an engaged workforce. Your people must be educated and trained in the proper processes for dealing with social engineering fraud.
The challenge is to develop uniform responses to cyberattacks within a diversified workforce. You may have twentysomethings who grew up in the digital domain, working with people who struggle with social media. One approach to finding traction is gamification. This is a teaching and training process that uses online game rewards, such as points, leaderboards and badges, to make behavioral change fun. Gamification can teach your employees to recognize suspicious emails, calls and texts, and respond accordingly while also putting everyone on equal footing, from the C-suite to entry-level associates. It engages them on an emotional level, to learn, make progress and share their results. Most importantly, it helps foster a new mindset, one that recognizes change and adapts to it. This is critical, because the cybersecurity landscape, and the threats your company faces, are always changing.
To develop an effective organizational response to social engineering fraud, contact Al Tanju, Director of Cybersecurity Services, or your Windham Brannon advisor.
