First of all, what is social engineering?
Let’s think about it in the context of information security. It refers to the manipulation of people into performing actions or divulging confidential information. Social engineering is a type of confidence trick that gathers information, fraud, or system access. It differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
Email compromise seems to be on the rise in the B2B space.
It is hardly surprising. This is a low-risk, high-reward for the scallywags who commit this crime. In recent times personal data records have been stolen from healthcare providers, retail outlets and government departments. Is there a big question small businesses should be asking. What can businesses do to protect themselves?
Email compromise, a form of social engineering has netted cyber criminals over US$2.3 billion (A$3 billion). This has been since October 2013 to February of this year. Over 17,000 businesses reported as being affected so far. Attacks have occurred in at least 79 countries. These are only cases the FBI is aware of.
The hard fact is that many cybercrimes go unreported, both in large and small businesses. You might expect that small businesses won’t report it. Where the loss is insignificant, such as a $200 fee to get data back from a successful ransomware attack. Big businesses are not reporting either. Maybe for fear of public embarrassment or in an attempt to avoid regulatory scrutiny.
Why email compromise?
Over recent times, we’ve seen successful attacks compromise millions of records from large companies. Companies such as Target, Sony, Anthem, Talk Talk in the UK, and Kmart and David Jones here in Australia. But these enormous hacks are just the ones we hear about. There have been tens of thousands of attacks that didn’t make the headlines.
Besides in every case, almost without exception, the thieves were targeting customer data. These massive treasure troves of data are worth a lot of money on the black market. Consider the Anthem attack, where thieves took off with over 80 million healthcare records. Each one of these on the is worth around $10 on the black market. The bad guys could have sold the entire database for big money. The records could end up in the hands of an organised crime syndicate. This leads us to consider not the breach itself, but the use of the data once sold.
Hackers want to pass this data onto a buyer as quick as possible. There is a slew of unscrupulous organised crime mobs, terrorists who have the means to buy the data. Furthermore, they intend to use it. There are many reasons why Anthem’s data may have been purchased.
Getting your identity is top of mind when entering personal details online. Tax file numbers, addresses, names, dates of births, etc. are all hot property. It is all information that helps convince credit card companies that the criminal is actually a legitimate citizen. Other uses are to authorise credit agreements for mobile phones, cars, new bank accounts etc.
Yet, business email compromise is another mode of operation that organised crime may be using these data breaches for. They’ve got a lot of useful data to masquerade as a legitimate partner. Imagine how convincing these charlatans’ are. They own a few stolen healthcare records. They conduct research on LinkedIn and plan social engineering attacks on the target company.
It is little wonder these targeted attacks are on the rise. The amount of data that is now circulating and available on the black market is increasing. Just have a look what’s available on social media.
What can we do?
Unfortunately, there isn’t much you can do about the origins of the attack. Leave that for law enforcement to coordinate. The threat is real and getting worse every year. Social engineering is still by far the best way to attack an organisation.
The only way to protect yourself is to educate staff, especially those in roles considered a high risk target. Security training is the best control you can put into an organisation to create a curious culture. One that is instinctively suspicious and willing to question.
The second thing to consider is the process you use for release of capital funds. If an email is enough justification to have your payroll send funds to a creditor, it’s time to upgrade your workflow. This basic process would need to include extra checks and balances.
Adding a couple of phone calls into your process is a good layer to add. This is where you check a transaction number or secure passcode. There are many cryptographic technologies that add transparency to the originator of the message. This shows who they say they are, based on signing the message with a key that you have provided them.
There are many ways to increase the security of these kinds of workflows. It’s a matter of seeing their weakness today. You can then engage with an expert who can design the security architecture of the process for you. Banks do this. When you request a payment from your account to a third party, you use your RSA token plus PIN to authorise. This authenticates that the transaction is being set up by the account holder.
ISACA released a paper in 2014 about securing electronic payments. You can find it here [pdf]. NIST publishes a guide on creating a security awareness program. Check out the guide here [pdf].
The bottom line is if you’re hacked you only have yourself to blame. There is plenty of information available. The technology and evidence of criminal intent is at your disposal.
If you don’t believe you are a target, it is time to look in the mirror and change your ways before it is too late.
Let Online Journey know if you have any questions or concerns about your business or personal online security. We are here to help. Your one stop digital shop in Banyule.