Print Friendly, PDF & Email

Common Social Engineering Cyber Attacks and Prevention Strategies

What is Social Engineering & what are the risks?

The human component of cyber security is the weakest link in protecting your organization against external threats. Recently, social engineering attacks have become the most prevalent type of threat within reported cyber breaches.

Social engineering is a malicious activity in which bad actors produce items such as false emails with the intent to persuade the recipient to unwittingly perform an action; for example, releasing sensitive information, and/or unknowingly planting malware on their network. Cyber criminals look for users who are naïve to social engineering attacks and/or those who are too busy to pay attention to warning signs.

Phishing

Phishing is the most common type of social engineering attack. It is often a poorly written, easily identifiable email from an unusual sender. The goal is generally to get the recipient to click a link or download/view an attachment in order to provide authorization credentials (e.g. banking login), or even download and install a program that would monitor your keystrokes. This type of attack targets people with little to no cyber security awareness.

A phishing example may involve a Hacker simulating a notification that your Windows password has expired. The message will direct you to enter your current password and then a new one in order to “update your account.” This provides the Hacker with access to confidential or proprietary information in your email and calendar, and also likely provides insight into how you derive your password pattern(s) (i.e. password1! often becomes password2!). This also may provide easy access to your other software/accounts which use the same login credentials.

Spear Phishing

Spear Phishing targets an organization or an employee with the intent to gain unauthorized access to sensitive information. It takes the form of a highly convincing business email, which may appear to be sent from a legitimate business authority or an internal colleague. This form of phishing is not typically sent by random hackers. It is more advanced than regular phishing attempts because it targets individuals from specific organizations to gain financial, trade, or sensitive information.

For example, a hacker may impersonate a member of the finance department for a contractor that works closely with an organization. The hacker may send the Accounts Payable Clerk of that organization a change of bank information for the contractor and provide new (fraudulent) account details. Once this is approved and processed by the AP Clerk or another employee, the next invoice from the real contractor will end up paid to the hacker’s account.

Whaling

Whaling schemes are sophisticated cyber phishing attacks directed specifically at senior executives and other high-level targets within organizations.  The content of these messages is tailored for upper management, with the goal of tricking financial staff into making fraudulent wire transfers to bank accounts controlled by thieves. These targeted attacks are known to exploit the close relationship between CEOs and CFOs.

In the following example, a hacker was able to gain access to the CFO’s Outlook account through the above-mentioned phishing technique. The hacker then researched email patterns, including who the CFO frequently emailed and for what purposes. This hacker also monitored the CFO’s calendar for a strategic opening.

On the day of the incident, the CFO was out of the office with no access to email. The hacker waited patiently for this opportunity to send the AP Clerk a request via the CFO’s email address for a large wire transfer to a specified bank account. The clerk checked with the company’s Controller to confirm this odd request. The Controller was worried about delaying the CFO’s request and executed the wire transfer to the hacker’s account.

Many of the above-mentioned scenarios may be avoided by implementing the following countermeasures and prevention techniques.

What are Countermeasures/Prevention Techniques?

Maintain Security Awareness

Effective internal communications may help prevent damage from cyber-attacks. Organizations should establish employee security awareness campaigns to improve mindfulness of security threats.

  • Remind your employees to pay close attention and always be vigilant. Train them to be able to identify phishing emails. Provide regular examples of known phishing scams. Remind them that if something doesn’t look right, it probably isn’t.
  • Outline your organization’s “suspicious email response protocol,” which should include a definition of technology controls, as well as a timely notification of your IT team to the phishing attempt and guidance on how to proceed.
  • Remind your user community of the importance of internal control procedures, and your organization’s zero tolerance policy on bypassing controls.

Establish Adequate Internal Controls…And Adhere to Them

Whaling attempts can appear as an email sent from a top executive requesting that the recipient transfer money, for example. The message may appear urgent in nature and request that the recipient bypass the regular processes in the interest of time and requestor’s level of authority. This should always be a red flag.

Monitor & Test Your Controls

Organizations should test and evaluate the effectiveness of internal controls and their incident response procedures on an ongoing basis.  A policy/procedure is good only if it is documented, challenged, known and followed by all employees. In a potential incident, there is no time to respond to a broken process.

Test with Simulated Phishing Expeditions Using Social Engineering

AAFCPAs’ Cyber and IT Security team assists clients with mitigating the risks of phishing, spear phishing, and whaling attacks by utilizing “white hat” social engineering methods. We gather information on clients, including their business structures, employees, and business dealings. We then collaborate with clients’ IT and HR departments and perform phishing & whaling expeditions using e-mails or a web server to entice employees to provide information, click on a link, or open a file. We collect responses and report our findings to management on the risks uncovered.

Based on our findings, AAFCPAs advises clients on which employees need additional training/education, which helps our clients avoid future real social engineering attacks that could cost them sensitive data breaches and stolen company funds.

Continuous Phishing Training

As part of an ongoing effort to reduce the risk of falling victim to a phishing email scam, AAFCPAs advises clients to perform periodic phishing awareness training to continually remind employees about the potential of a phishing attack. The best approach is to perform simulated phishing campaigns in conjunction with employee phishing awareness training. Extend the reminder portion of the awareness with posters or infographics posted in the workplace.

Remain Vigilant

Your best line of defense in protecting your organization against social engineering attacks is employee awareness. AAFCPAs advises clients to remain vigilant, assess your cyber security risks regularly, and maintain a cyber-aware community by educating users on the risks and consequences of social engineering attacks.

To schedule a cyber-security assessment, or for specific advice on how to best protect your organization against cyber-attacks, please contact James Jumes at 774.512.4062jjumes@nullaafcpa.com; Vassilis Kontoglis at 774.512.4069vkontoglis@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Advisory Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Vassilis Kontoglis
Vassilis is a highly-skilled IT professional with proven expertise in: business process improvement and change management, information systems gap analyses, cyber security and IT risk assessments, systems selection & implementation, IT auditing, and special attestation reporting (SSAE 18 and SOC 2). Vassilis performs comprehensive and thorough reviews of technology systems and environments, and advises clients on how to use technology to best achieve business goals and objectives.  He elicits input from stakeholders at all levels of the organizational hierarchy in order to thoroughly evaluate business performance across functional boundaries.  He analyzes current and potential business and IT processes to identify clear opportunities for improvement, which may include streamlining and automation, productivity increases, strategic alignment and cost reductions.