Online Journey

Because online is a journey, not a destination

  • Blog
  • Contact Us

How to protect your small business against social engineering.

Online Security. Online Journey

Stay safe online

First of all, what is social engineering?

Let’s think about it in the context of information security. It refers to the manipulation of people into performing actions or divulging confidential information. Social engineering  is a type of confidence trick that gathers information, fraud, or system access. It differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.

Email compromise seems to be on the rise in the B2B space.

It is hardly surprising. This is a low-risk, high-reward for the scallywags who commit this crime. In recent times personal data records have been stolen from healthcare providers, retail outlets and government departments. Is there a big question small businesses should be asking.  What can businesses do to protect themselves?

Email compromise, a form of social engineering has netted cyber criminals over US$2.3 billion (A$3 billion).  This has been since October 2013 to February of this year. Over 17,000 businesses reported as being affected so far. Attacks have occurred in at least 79 countries. These are only cases the FBI is aware of.

The hard fact is that many cybercrimes go unreported, both in large and small businesses. You might expect that small businesses won’t report it. Where the loss is insignificant, such as a $200 fee to get data back from a successful ransomware attack. Big businesses are not reporting either. Maybe for fear of public embarrassment or in an attempt to avoid regulatory scrutiny.

Why email compromise?

Over recent times, we’ve seen successful attacks compromise millions of records from large companies. Companies such as Target, Sony, Anthem, Talk Talk in the UK, and Kmart and David Jones here in Australia. But these enormous hacks are just the ones we hear about. There have been tens of thousands of attacks that didn’t make the headlines.

Besides in every case, almost without exception, the thieves were targeting customer data. These massive treasure troves of data are worth a lot of money on the black market. Consider the Anthem attack, where thieves took off with over 80 million healthcare records. Each one of these on the is worth around $10 on the black market. The bad guys could have sold the entire database for big money. The records could end up in the hands of an organised crime syndicate. This leads us to consider not the breach itself, but the use of the data once sold.

Hackers want to pass this data onto a buyer as quick as possible. There is a slew of unscrupulous organised crime mobs, terrorists who have the means to buy the data.  Furthermore, they intend to use it. There are many reasons why Anthem’s data may have been purchased.

Getting your identity is top of mind when entering personal details online. Tax file numbers, addresses, names, dates of births, etc. are all hot property. It is all information that helps convince credit card companies that the criminal is actually a legitimate citizen.  Other uses are to authorise credit agreements for mobile phones, cars, new bank accounts etc.

Yet, business email compromise is another mode of operation that organised crime may be using these data breaches for. They’ve got a lot of useful data to masquerade as a legitimate partner. Imagine how convincing these charlatans’ are. They own a few stolen healthcare records. They conduct research on LinkedIn and plan social engineering attacks on the target company.

It is little wonder these targeted attacks are on the rise. The amount of data that is now circulating and available on the black market is increasing. Just have a look what’s available on social media.

What can we do?

Unfortunately, there isn’t much you can do about the origins of the attack. Leave that for law enforcement to coordinate.  The threat is real and getting worse every year. Social engineering is still by far the best way to attack an organisation.

The only way to protect yourself is to educate staff, especially those in roles considered a high risk target.  Security training is the best control you can put into an organisation to create a curious culture. One that is instinctively suspicious and willing to question.

The second thing to consider is the process you use for release of capital funds. If an email is enough justification to have your payroll send funds to a creditor, it’s time to upgrade your workflow. This basic process would need to include extra checks and balances.

Adding a couple of phone calls into your process is a good layer to add. This is where you check a transaction number or secure passcode. There are many cryptographic technologies that add transparency to the originator of the message.  This shows who they say they are, based on signing the message with a key that you have provided them.

There are many ways to increase the security of these kinds of workflows. It’s a matter of seeing their weakness today. You can then engage with an expert who can design the security architecture of the process for you. Banks do this. When you request a payment from your account to a third party, you use your RSA token plus PIN to authorise.  This authenticates that the transaction is being set up by the account holder.

ISACA released a paper in 2014 about securing electronic payments. You can find it here [pdf]. NIST publishes a guide on creating a security awareness program. Check out the guide here [pdf].

The bottom line is if you’re hacked you only have yourself to blame. There is plenty of information available. The technology and evidence of criminal intent is at your disposal.

If you don’t believe you are a target, it is time to look in the mirror and change your ways before it is too late.

Let Online Journey know if you have any questions or concerns about your business or personal online security. We are here to help. Your one stop digital shop in Banyule.

Filed Under: blog, Tips Tagged With: banyule business, Online Security, Small business

RSS Reverse the threat of cybercrime Over 6 million Australian adults were impacted by cybercrime in 2017. That’s one in four of us!* It impacts our business, our families and friends, costing huge amounts of money, time and pain

  • How to Build Comprehensive Security Processes With Threat Intelligence
    Andrew Scott explains how creating a plan to use your security tools and staff effectively can help you achieve a proactive threat intelligence program. The post How to Build Comprehensive Security Processes With Threat Intelligence appeared first on Recorded Future.
  • Third-Party Risk: Keeping Your Friends Close and Your Enemies Not as Close
    Learn about the ways organizations currently measure third-party risk, including top mechanisms used to conduct audits and how effective they actually are. The post Third-Party Risk: Keeping Your Friends Close and Your Enemies Not as Close appeared first on Recorded Future.
  • 4 Ransomware Trends to Watch in 2019
    Just as ransomware teams annually adjust their attacks based on the changing security landscape, security teams need to be able to adjust their protections. The post 4 Ransomware Trends to Watch in 2019 appeared first on Recorded Future.
  • How Dragos Protects Industrial Control Systems With Threat Hunting
    At RFUN 2018, Thomas Pope of Dragos explained why threat intelligence for both IT and OT environments is critical for industrial control system security. The post How Dragos Protects Industrial Control Systems With Threat Hunting appeared first on Recorded Future.
  • The Value Proposition of Finished Intelligence
    David Carver explains the best ways to define finished intelligence and shares practical insights based on his experience collaborating with customers. The post The Value Proposition of Finished Intelligence appeared first on Recorded Future.
  • China’s New Cybersecurity Measures Allow State Police to Remotely Access Company Systems
    Insikt Group explores new cybersecurity provisions issued by the Chinese Ministry of Public Security and what they mean for businesses operating in China. The post China’s New Cybersecurity Measures Allow State Police to Remotely Access Company Systems appeared first on Recorded Future.
  • APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
    In this report, Insikt Group shares insight into a sustained cyberespionage campaign assessed to be conducted by Chinese state-sponsored threat actor APT10. The post APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign appeared first on Recorded Future.
  • Is Chaos the New Normal? Security Spending Trends to Watch in 2019
    In a new study, Forrester looked at how global security leaders prioritized spending to make predictions about how they should plan their budgets in 2019. The post Is Chaos the New Normal? Security Spending Trends to Watch in 2019 appeared first on Recorded Future.
  • Active Threat Hunting Within Your Organization
    Mike Morris, CTO at root9B, shares his professional journey from the military to the private sector, his philosophy on threat intelligence, and more. The post Active Threat Hunting Within Your Organization appeared first on Recorded Future.
  • Threat Actor Behind Collection #1 Data Breach Identified
    In this report, Insikt Group uncovers new information pertaining to the Collection #1 data breach collection, including details about its original creator. The post Threat Actor Behind Collection #1 Data Breach Identified appeared first on Recorded Future.

Copyright © 2019 • • All Rights Reserved