What is Social Engineering & what are the risks?
The human component of cyber security is the weakest link in protecting your organization against external threats. Recently, social engineering attacks have become the most prevalent type of threat within reported cyber breaches.
Social engineering is a malicious activity in which bad actors produce items such as false emails with the intent to persuade the recipient to unwittingly perform an action; for example, releasing sensitive information, and/or unknowingly planting malware on their network. Cyber criminals look for users who are naïve to social engineering attacks and/or those who are too busy to pay attention to warning signs.
Phishing is the most common type of social engineering attack. It is often a poorly written, easily identifiable email from an unusual sender. The goal is generally to get the recipient to click a link or download/view an attachment in order to provide authorization credentials (e.g. banking login), or even download and install a program that would monitor your keystrokes. This type of attack targets people with little to no cyber security awareness.
A phishing example may involve a Hacker simulating a notification that your Windows password has expired. The message will direct you to enter your current password and then a new one in order to “update your account.” This provides the Hacker with access to confidential or proprietary information in your email and calendar, and also likely provides insight into how you derive your password pattern(s) (i.e. password1! often becomes password2!). This also may provide easy access to your other software/accounts which use the same login credentials.
Spear Phishing targets an organization or an employee with the intent to gain unauthorized access to sensitive information. It takes the form of a highly convincing business email, which may appear to be sent from a legitimate business authority or an internal colleague. This form of phishing is not typically sent by random hackers. It is more advanced than regular phishing attempts because it targets individuals from specific organizations to gain financial, trade, or sensitive information.
For example, a hacker may impersonate a member of the finance department for a contractor that works closely with an organization. The hacker may send the Accounts Payable Clerk of that organization a change of bank information for the contractor and provide new (fraudulent) account details. Once this is approved and processed by the AP Clerk or another employee, the next invoice from the real contractor will end up paid to the hacker’s account.
Whaling schemes are sophisticated cyber phishing attacks directed specifically at senior executives and other high-level targets within organizations. The content of these messages is tailored for upper management, with the goal of tricking financial staff into making fraudulent wire transfers to bank accounts controlled by thieves. These targeted attacks are known to exploit the close relationship between CEOs and CFOs.
In the following example, a hacker was able to gain access to the CFO’s Outlook account through the above-mentioned phishing technique. The hacker then researched email patterns, including who the CFO frequently emailed and for what purposes. This hacker also monitored the CFO’s calendar for a strategic opening.
On the day of the incident, the CFO was out of the office with no access to email. The hacker waited patiently for this opportunity to send the AP Clerk a request via the CFO’s email address for a large wire transfer to a specified bank account. The clerk checked with the company’s Controller to confirm this odd request. The Controller was worried about delaying the CFO’s request and executed the wire transfer to the hacker’s account.
Many of the above-mentioned scenarios may be avoided by implementing the following countermeasures and prevention techniques.
What are Countermeasures/Prevention Techniques?
Maintain Security Awareness
Effective internal communications may help prevent damage from cyber-attacks. Organizations should establish employee security awareness campaigns to improve mindfulness of security threats.
- Remind your employees to pay close attention and always be vigilant. Train them to be able to identify phishing emails. Provide regular examples of known phishing scams. Remind them that if something doesn’t look right, it probably isn’t.
- Outline your organization’s “suspicious email response protocol,” which should include a definition of technology controls, as well as a timely notification of your IT team to the phishing attempt and guidance on how to proceed.
- Remind your user community of the importance of internal control procedures, and your organization’s zero tolerance policy on bypassing controls.
Establish Adequate Internal Controls…And Adhere to Them
Whaling attempts can appear as an email sent from a top executive requesting that the recipient transfer money, for example. The message may appear urgent in nature and request that the recipient bypass the regular processes in the interest of time and requestor’s level of authority. This should always be a red flag.
Monitor & Test Your Controls
Organizations should test and evaluate the effectiveness of internal controls and their incident response procedures on an ongoing basis. A policy/procedure is good only if it is documented, challenged, known and followed by all employees. In a potential incident, there is no time to respond to a broken process.
Test with Simulated Phishing Expeditions Using Social Engineering
AAFCPAs’ Cyber and IT Security team assists clients with mitigating the risks of phishing, spear phishing, and whaling attacks by utilizing “white hat” social engineering methods. We gather information on clients, including their business structures, employees, and business dealings. We then collaborate with clients’ IT and HR departments and perform phishing & whaling expeditions using e-mails or a web server to entice employees to provide information, click on a link, or open a file. We collect responses and report our findings to management on the risks uncovered.
Based on our findings, AAFCPAs advises clients on which employees need additional training/education, which helps our clients avoid future real social engineering attacks that could cost them sensitive data breaches and stolen company funds.
Continuous Phishing Training
As part of an ongoing effort to reduce the risk of falling victim to a phishing email scam, AAFCPAs advises clients to perform periodic phishing awareness training to continually remind employees about the potential of a phishing attack. The best approach is to perform simulated phishing campaigns in conjunction with employee phishing awareness training. Extend the reminder portion of the awareness with posters or infographics posted in the workplace.
Your best line of defense in protecting your organization against social engineering attacks is employee awareness. AAFCPAs advises clients to remain vigilant, assess your cyber security risks regularly, and maintain a cyber-aware community by educating users on the risks and consequences of social engineering attacks.
To schedule a cyber-security assessment, or for specific advice on how to best protect your organization against cyber-attacks, please contact James Jumes at 774.512.4062, firstname.lastname@example.org; Vassilis Kontoglis at 774.512.4069, email@example.com; or your AAFCPAs Partner.