Social Engineering
Imagine that it is the day before the July 4th holiday.
You get an email that appears to come from your IT department. The message reads something like this:
“The office will be closed tomorrow for Independence Day. Due to recent cybersecurity threats, all employees must log in and update their password before going on break. Click HERE to update your password.”
Phishing research indicates that approximately 40% of employees will accidentally give up their password because of a message like that. When you consider that it only takes one individual giving their password to bring an organization to its knees, it’s easy to see the odds favor the bad guys.
Social engineering is the hardest form of cyber-attack to defend against and it often triggers the most painful liabilities.
“The top threat to every one of our clients is social engineering. Nothing else comes close.”
Kemper Brown Jr. CEO, Electronic Office
Most of us remember getting a crazy email from a guy in Nigeria who needed to get $1 million out of his country and was hoping you would share your bank information so that he could wire the money to you.
That was funny because it was “obviously” a scam (If you thought those were real, maybe shoot us an email…)
It’s not funny anymore because the same trickery now comes wrapped up in very realistic content. It’s not funny because just one wrong click is all that the criminal needs to gain access to your computer, your email server, and so much more information that we now store online.
Who is at Risk?
The infamous ransomware attack against Colonial Pipeline that dominated the headlines last year was a wake-up call for many. Even so, many smaller businesses still think that they fly below the radar of the bad actors in cybercrime. They don’t. Small business owners are usually not aware of the horror stories occurring in their community because nobody wants to air dirty laundry. Take it from us—the folks called to help respond to these attacks—companies big and small are frequently victims of cybercrimes though their stories never end up on the front page of the paper…
The brutal efficiency of modern social engineering attacks makes this article relevant to organizations of all sizes, and even individuals using the Internet for personal reasons.
How do Smart People get Tricked?
Here are some samples of phishing techniques that people fall for:
- An email from your bank that looks like previous emails from your bank. It has a message like “please check your account for unusual charges to your credit card” and “remember, we will never ask for your password.” The email has a link to a fake web page that looks like the real homepage of your bank. On that page, you log in using your username and password. Game over.
- An invoice is sent to a new employee in the finance department that uses graphics and names from a real 3rd party provider to the company. The email mentions an overdue invoice in a very polite manner. The employee is asked to open the PDF attachment to see the unpaid invoice. Game over if the employee opens the PDF.
- Small businesses often get paid through their PayPal account. Fake notices that look exactly like legitimate notifications from PayPal alert you to a security issue and recommend reviewing recent activity. The email contains a link that goes to a page that looks exactly like PayPal’s log-in page. When you log in, it’s game over.
- Fake emails that appear to come from Microsoft or Google. Most small businesses use Microsoft or Google as their email services provider. An employee gets an email that is graphically realistic – the email reminds them that they are overdue to change their password as per company policy. They click a link to a webpage that looks exactly like the real login page but the URL is different. It’s a fake page but if you log in on that page, game over.
- An email from the employee’s own HR department. This can take many forms but the employee is always asked to log in to the company’s network in order to complete a critical task. Often, the bad actor targets new employees using data they are getting from outside resources. When the new employee obediently follows instructions, game over.
- Emails from the IRS. Scams using excellent graphics in the email and on the landing page alert you to an important tax issue that urgently needs attention. It’s human nature to dread getting sideways with the tax collector and so we are vulnerable to these messages. But when we verify our tax information, it’s game over.
Small Businesses Can Pay a Big Price:
- A law firm specializing in real estate has its email server hacked. The bad actor starts reading every email thread and figures out how to perfectly mimic the messaging that goes from the law firm to its clients. A home buyer gets an email a few days before the closing that says “Due to covid-19 protocols, you will be asked to wire the down payment into the escrow account 24 hours before the closing. Do not bring a bank check to the closing, instead, wire the money using these instructions…” — The buyer shows up to the closing and the lawyer asks for the bank check for the down payment. The buyer produces a copy of the email and a receipt for the bank wire transfer. Only at this moment do all parties realize that something has gone horribly wrong.
- A local homebuilder is enjoying a booming growth business. They have contracts lined up for the rest of the year. They are concerned about rising prices so they order roofing materials for the whole year from a company in China that they have used many times. This is their biggest order ever and a bad actor is watching the email messages going back and forth. With perfect timing, the bad actor inserts an email into the conversation that looks exactly like previous emails from the supplier in China. This is the email with the wiring instructions to pay for the roofing materials. When the home builder pays for the roofing materials, the money goes into an unknown account and it is two weeks before the buyer and seller realize that the money is gone.
The list of examples can go on and on. In many cases, the bad actor just wants to worm into the email server or the accounts payable software to analyze their opportunities for deploying ransomware or deceive the company into sending money to the wrong place.
You Can Protect Yourself
At Electronic Office, our team is known to say “social engineering always works.” That’s why it is such a nightmare scenario for IT teams and C-level managers alike. But all is not lost. The 2 best ways to protect your organization are through security awareness training and multi-factor authentication. It isn’t going to make you a white hat, nor will it make your security impenetrable. What it will do is make your data harder to steal and protect your team from being vulnerable. In today’s world, that might be just enough to keep you from being the next victim.