Social engineering hacks are on the rise. Hackers are no longer targeting random victims. They target CEOs, CFOs, or anyone with authority to transfer money or access sensitive data such as an accountant. It takes much more convincing than standard email blasts targeted at random users. Hackers are now turning to more brazen phone calls and social engineering that convinces executives to transfer money to their accounts.
The Bogus Boss Attack
IT administrators are always educating users on the dangers of phishing attacks. Users are an IT organization’s biggest risk. Security awareness and antivirus can only do so much. IT administrators must still consider employees who run an executable attached to an email or the employee who enters sensitive user names and passwords into a phishing website form.
However, attackers are now using more targeted threats to trick executives into sending them money. For instance, the accountant for a well-established, 75 year old company called Etna Industrie recently fell for one of these targeted attacks. The accountant received a call from an unknown caller who said that the president of Etna Industrie would be calling to authorize a transaction. The hacker then spoofed an email from the president and asked the accountant to transfer money to a specific bank account.
Had the accountant been an IT person, he would know that the next step is to verify email headers to ensure that the email is indeed genuine. But since most average users don’t know how to check email headers, he saw the “From” address and transferred the money. He made three transactions totalling 500,000 Euros. Luckily, three of these transfers were held at the bank, but one totalling 100,000 Euros went through. The attack was successful, and the accountant was left to explain the issue to the president after her vacation.
What Can IT People Do?
When messages pass through email servers, the first ones to blame are the administrators. The best way to mitigate risk in the corporation is to offer security awareness training to your users. This can be in a group setting or using intranet documentation.
Other ways to avoid risk is to use email filtering systems. There are numerous rules and filtering options, so having an application that works with your email server is much more efficient. It reduces the chance that your filters will have too many false positives. False positives stop your users from receiving emails, which essentially harms business performance.
The best defense is common sense. In the Etna Industrie example, the hacker was pushy and acted as if the transaction was time sensitive. It’s common for hackers to make the victim feel rushed, so he doesn’t have time to think about the repercussions. Employees should be made aware of the implications and the freedom to ask questions before issuing any sensitive transactions or transfers.
You can’t guarantee that no users will fall for social engineering attacks, but making them aware of common techniques greatly reduces the risk that they (and the corporation) will be at risk.