Who Do You Think You’re Talking To?
We wish this article title was just a memory of our teacher calling us out for being a wiseacre.
Even better, we might be writing about this song by Dawes. But no, the newest danger in cyber crime is to trick us into thinking we are talking to somebody we know when that is not the case at all.
“Who do you think you’re talking to” is now a critical verification requirement in the ever more challenging process of picking off criminal fraud attempts before harm happens.
What Changed to Make this Critical?
Here’s the situation – Criminal hacking groups are getting much better at social engineering. While these criminal enterprises are often led by expert Russian hackers, they now recruit people who speak English as their first language so that texting, emails, and phone calls closely match the style of the person being imitated. The criminals also do a lot more homework using social media and other resources so that they can accurately reference the activities of the person they are pretending to be.
Last year, Caesar’s and MGM casinos were hacked by “Scattered Spider” when the attackers carefully mimicked a senior executive who called the IT help desk from his vacation hotel pleading to get his password updated. It was a simple but brilliant trick, and it was devastating for the casinos. The FBI/CISA Advisory about Scattered Spider can be found here.
It gets worse, generative AI now helps criminals to replicate the voice of the person they are pretending to be. Here is a very scary situation where a father almost paid a ransom to get his kidnapped daughter back. He heard his daughter’s voice pleading for help over the phone even though his real daughter was just fine. Yikes.
The Hot Zone is the IT Help Desk
An IT help desk is the bullseye that cyber criminals are targeting with voice, email and texts that appear to come from a desperate or frustrated employee who needs help. The fake employee pretends they have lost their phone, or they have a new laptop, or they can’t access company information from their hotel — always a situation requiring a new password and/or help setting up MFA on a new device. The help desk person is trained to solve these common problems ASAP. Knowing this, the criminal is trained to exploit the best qualities we all want from a person working at a help desk. Once the help desk completes the fake employee’s request, the criminal gains a foothold inside the firewall and then they move quickly to build and protect their virtual access to company systems. With virtual access established, the criminal might spend days or weeks carefully preparing to launch a devastating attack on the company.
This type of attack is scaling fast. Healthcare providers are being targeted to the point where HHS (The Department of Health and Human Services) is issuing warnings about this new level of sophisticated social engineering.
New Help Desk Verification Procedures
IT help desks should be upgrading verification procedures at their help desks to defend against this threat. The security process is called end-user verification. Just like in the early days of MFA (multi-factor authentication), we will all need to get used to taking some extra steps but end-user verification is a must-have requirement, so we need to get on with it.
Don’t take it personally when your help desk asks you to verify your identity. They are following a new level of zero-trust policies so, even if you are the president of the company or are in a position where you talk to the help desk many times per week, everybody needs to be verified every time.
We are currently rolling out end-user verification with all our clients, and we don’t charge a fee for this additional level of security because, frankly, this provides protection for our help desk (we actually call it the “service” desk, here at EO, and it’s open and available 24/7/365), just as much as it provides protection for our clients.
We are always here to answer questions if you want to have a conversation about end-user verification and zero-trust policies.