This article looks at the continued deployment of social engineering techniques to execute business email compromise (BEC) cyberattacks and suggests some pragmatic and non-technical measures that organisations can take to help manage the risk.

What is social engineering and how is it used to compromise business email?

Social engineering is a term given to describe the manipulation of targeted persons to cause them to divulge confidential information, or take a particular course of action, by means of trickery or deceit. The intention of such techniques is to obtain information from the target that allows the hacker to commit a cyberattack or commit some other criminal act, such as credit card fraud. It’s one of the most effective weapons available to hackers and cybercriminals and is the single most common feature of phishing attacks which so many companies fall victim to.

Common examples of social engineering being used by hackers to facilitate phishing attacks include:

• An email purporting to be from your email provider a few days before a software update is due to be rolled out. The email would encourage a person to click on a link to validate their email account details. Once clicked, the link would direct the person to a bogus but authentic looking website where the person would disclose confidential user account details, such as username and password;
• An email which appears to come from the tax authorities shortly before the closure of the tax reporting period. The email encourages the recipient to click on a link to a site which is in fact designed to harvest the person's data; or
• An email purporting to be from the recipient's HR department a few days before the announcement of corporate results and associated pay rise and bonus payments. The email contains an attachment called “bonus_pool_2020.xls” but is actually a malicious file which when clicked on, installs malware designed to compromise the person's email system and give the attacker full read/write access to an account.

Once an employee’s business email account has been compromised, it can be used to compromise other email accounts within an organisation. If the original victim was someone senior, further compromise is facilitated as most employees tend not to question the veracity of emails sent by their boss (or to be precise, sent using the email account of their boss).

With access to, and control of, key employees' email accounts attackers may become aware of payment cycles, learn when invoices are due and move towards redirection of payments. The possibilities are many, although perpetrating fraud or accessing confidential or sensitive data such as personal identifiable information or intellectual property are also all common objectives.

The risks are plentiful and some observers have estimated that over 80% of all security incidents are as a result of attacks of this nature.

Looking to the future, many security experts predict that as technical controls continue to evolve and become more effective, attacks based on social engineering are likely to increase as they will be easier to perpetrate and have a greater chance of success.

Enhancing the likelihood of success of a social engineering exploit

A successful social engineering attacker (or indeed, a successful confidence trickster), will often seek to exploit a small piece of genuine information so any communication is likely to resonate with the victim and make the approach or premise of a message appear realistic.

In the email examples above, the attackers would have known when a software update was due, when the tax return window was closing or when bonus payments or corporate results were due to be released. Any communication sent to the victims could have been timed to coincide with genuine events to make them appear more authentic.

In this day and age, genuine information about organisations and individuals is often available online, for example, on corporate websites, investor relations pages or on social media platforms. These sources of information make it easier for attackers to design more realistic looking communications, thereby increasing the likelihood that any message would appear genuine to the recipient.

Tools that people use online every day, for example LinkedIn, Facebook or the Google search engine provide rich pickings for social engineers looking for genuine information to help disguise their attack as a realistic communication.  Social media platforms tell us when someone’s birthday is, when there is a major event in their life or when a business has made a significant change or implemented new tools or applications.

Google search for example, has an entire subculture devoted to the use of google advanced operators. This is essentially the use of advanced search syntax freely available within the google search engine that can help identify very specific pieces of information that is unlikely to be discovered through the typical search strings that most people use. It’s enormously useful for investigators but equally helpful for hackers too.

Additionally, because it is easy to send out literally millions of emails at once, the attacker only needs a very small percentage of recipients to be tricked into thinking the message was genuine for the attack to be successful.

What can organisations do to reduce susceptibility to social engineering?

Awareness and training together with regular reinforcement of key messages is vital. Initiatives that have been effective in some organisations include:

• Raising awareness of good cyber security habits and behaviours – consider having regular cyber security weeks where there is a cross-organisation focus on the threat;
• Providing real life examples of social engineering attacks so employees can start to recognise the patterns – make the examples personal and role-focused where possible;
• Implementing clear, well documented policies and procedures which set out the expected behaviours and acceptable use of corporate IT assets – this is crucial with regards to the opening of links or attachments contained in emails;
• Making staff aware of the risk that genuine information about them or their employer could be publicly available and hence cyber criminals may also have access to it – provide some real life examples to illustrate the dangers;
• Making it easier for employees to report suspicions and seek advice – have a well-publicised help line and make sure everyone knows who to approach for advice.
• Ensuring that your (cyber) insurance coverage is adequate - cyberattacks can often have costly outcomes, particularly if any breach results in potential regulatory or legal exposure.

From a technology perspective, there are a number of commercially-available solutions to help identify suspicious communications. These can add significant value, as can ensuring that software applications and security and network infrastructure are up to date and have the latest patches installed.

Conclusion

Social engineering is the modern day equivalent of the old-school confidence trick and notwithstanding strong and often sophisticated technical controls, the exploitation of human behavioural weaknesses often provides criminals with the easiest path to a successful cyberattack.

The impact can range from business email compromise to damaging regulatory and legal impacts.

If employees know what to look for and can recognise a potential social engineering attack, the likelihood of it being successful are reduced significantly.

Making staff aware of the dangers by bringing the subject to life and providing some real life examples is a sensible first step.

For more information on how to implement systems and controls for cyber and business email compromise resilience please contact any of the authors listed below.