Regulatory guidelines on the Qatar Personal Data Protection Law
This article looks at the continued deployment of social engineering techniques to execute business email compromise (BEC) cyberattacks and suggests some pragmatic and non-technical measures that organisations can take to help manage the risk.
Social engineering is a term given to describe the manipulation of targeted persons to cause them to divulge confidential information, or take a particular course of action, by means of trickery or deceit. The intention of such techniques is to obtain information from the target that allows the hacker to commit a cyberattack or commit some other criminal act, such as credit card fraud. It’s one of the most effective weapons available to hackers and cybercriminals and is the single most common feature of phishing attacks which so many companies fall victim to.
Common examples of social engineering being used by hackers to facilitate phishing attacks include:
Once an employee’s business email account has been compromised, it can be used to compromise other email accounts within an organisation. If the original victim was someone senior, further compromise is facilitated as most employees tend not to question the veracity of emails sent by their boss (or to be precise, sent using the email account of their boss).
With access to, and control of, key employees' email accounts attackers may become aware of payment cycles, learn when invoices are due and move towards redirection of payments. The possibilities are many, although perpetrating fraud or accessing confidential or sensitive data such as personal identifiable information or intellectual property are also all common objectives.
The risks are plentiful and some observers have estimated that over 80% of all security incidents are as a result of attacks of this nature.
Looking to the future, many security experts predict that as technical controls continue to evolve and become more effective, attacks based on social engineering are likely to increase as they will be easier to perpetrate and have a greater chance of success.
A successful social engineering attacker (or indeed, a successful confidence trickster), will often seek to exploit a small piece of genuine information so any communication is likely to resonate with the victim and make the approach or premise of a message appear realistic.
In the email examples above, the attackers would have known when a software update was due, when the tax return window was closing or when bonus payments or corporate results were due to be released. Any communication sent to the victims could have been timed to coincide with genuine events to make them appear more authentic.
In this day and age, genuine information about organisations and individuals is often available online, for example, on corporate websites, investor relations pages or on social media platforms. These sources of information make it easier for attackers to design more realistic looking communications, thereby increasing the likelihood that any message would appear genuine to the recipient.
Tools that people use online every day, for example LinkedIn, Facebook or the Google search engine provide rich pickings for social engineers looking for genuine information to help disguise their attack as a realistic communication. Social media platforms tell us when someone’s birthday is, when there is a major event in their life or when a business has made a significant change or implemented new tools or applications.
Google search for example, has an entire subculture devoted to the use of google advanced operators. This is essentially the use of advanced search syntax freely available within the google search engine that can help identify very specific pieces of information that is unlikely to be discovered through the typical search strings that most people use. It’s enormously useful for investigators but equally helpful for hackers too.
Additionally, because it is easy to send out literally millions of emails at once, the attacker only needs a very small percentage of recipients to be tricked into thinking the message was genuine for the attack to be successful.
Awareness and training together with regular reinforcement of key messages is vital. Initiatives that have been effective in some organisations include:
From a technology perspective, there are a number of commercially-available solutions to help identify suspicious communications. These can add significant value, as can ensuring that software applications and security and network infrastructure are up to date and have the latest patches installed.
Social engineering is the modern day equivalent of the old-school confidence trick and notwithstanding strong and often sophisticated technical controls, the exploitation of human behavioural weaknesses often provides criminals with the easiest path to a successful cyberattack.
The impact can range from business email compromise to damaging regulatory and legal impacts.
If employees know what to look for and can recognise a potential social engineering attack, the likelihood of it being successful are reduced significantly.
Making staff aware of the dangers by bringing the subject to life and providing some real life examples is a sensible first step.
For more information on how to implement systems and controls for cyber and business email compromise resilience please contact any of the authors listed below.