No matter how robust your security controls are, Coalition has seen the dangers of social engineering as a threat vector (a method used by attackers). Our recent Claims Report highlights the trend of increasingly sophisticated and ever more expensive claims related to breaches of email security (known as business email compromise or BEC) and related incidents like funds transfer fraud (FTF) that are perpetrated after a BEC has occurred.
Cyber vulnerabilities are music to an attacker’s ear, providing an easy way to break into your systems. So how do we slow this trend? By understanding what social engineers are doing and the simple steps you can take to shut them down.
Give it away, give it away, give it away now
Social engineering is the act of forcing or tricking people into performing actions they otherwise wouldn’t. Peer pressure is one example, and the natural tendencies and traits of human beings are a common method attackers use to gain access to systems or data that are otherwise well-protected. Why hack a system when you can call someone posing as a member of the IT help desk and ask them to share their password for an “IT upgrade” project?
All social engineering relies on a pretext, which is a scenario or situation created by the social engineer. Attacks like the IT help desk scam rely on people trusting an IT department and wanting to be helpful to a colleague who has a job to do. These fairly low-sophistication, clumsy pretexts are pretty well known and are becoming less effective, so attackers are getting more sophisticated.
By gathering information about their target, they can craft an attack that doesn’t trigger alarms.
Open source intelligence (OSINT) is a process of gathering information from publicly available sources. We might do this for benign purposes, like determining whether two celebrities are dating based on what they share on social media. Unfortunately, attackers are using the same types of information to craft more convincing social engineering pretexts. For example, a message claiming to be from someone you met at a conference (where you may have checked in or posted on social media using a specific hashtag) who knows about your interests, latest vacation, and job details (all publicly available on social media) is going to seem pretty legit.
Even if you don’t directly remember the person in question, surely with this much information you must have chatted with them at that conference. You shared your work history and your upcoming vacation plans, right? Wrong! This type of information is frequently given up for free when you do common activities like participating in social media trends (the Dolly Parton challenge), sharing your “travel plans,” or online quiz results based on personal details like favorite food, year/month of birth, etc.
The result of these seemingly innocuous social media games is a treasure trove of personal details that attackers can use.
One way, or another, they’re gonna find you
We’ve all seen social engineering depicted in TV shows and movies — somebody dresses up as a utility repair person or sweet-talks their way into a secured facility, and it’s a pivotal point in spy and thriller stories. As it relates to your business, the cyber risk from social engineering is typically not focused on physical access so much as gaining access to sensitive data and systems. This Forbes article defines the threat well: “Social engineering attacks exploit pretty much all forms of communication including email, social media, text messages, and phone calls.“
As a business owner, you may think you’re too small or uninteresting to be a target, but attackers have automated and expanded their reach. Scraping information from social networks is trivial, and extensive use of templates and some artificial intelligence makes crafting a phishing email or phone script a trivial task. These types of attacks are often scattershot and may be called “spray-and-pray” after their method of sending out massive quantities of scam messages in the hope that at least a few reach their target and the victim falls for it.
The use of automation means these attacks are financially successful, even if only a tiny fraction of recipients fall for it.
Coalition sees social engineering impacting our policyholders all too frequently. Our recent Claims Report highlights the growing threat: “Email phishing was the initial vector of attack for 48% of reported claims where this data was available.” Users who open links or attachments in phishing emails are often infected with malware or give up their credentials, or both — the attackers have nothing to lose by going big.
In some cases, the social engineering pretext, whether it’s an email, phone call, or text message, is the actual scam. Funds transfer fraud (FTF) is a simple attack whereby a user directs money to an attacker’s account and is often perpetrated by an attacker sending a fake invoice or instructions for payment. A user who doesn’t carefully verify information might approve the invoice or update payment instructions, send the money to an attacker, and create a cyber incident.
(Deepfake) video killed the radio star
If you’re a larger organization, you’re an even more attractive target. More revenue, a good reputation, and even just being a large player increases the likelihood that an attacker will try something. Coalition’s Claims Report reinforces the rise of two scamming methods identified in this Forbes article, deepfakes and business ID compromise, and we saw these trends across our policyholders.
Alarmingly, deepfake content is easier than ever to create due to the sheer amount of processing power available in most devices. Today’s smartwatches have beefier processors than desktop PCs from just a couple of decades ago, and the rise of cloud computing unlocks vast amounts of efficient, cost-effective processing power. All this can be harnessed to create legitimate-looking content like an audio or video recording that sounds and looks authentic.
The question now is whether or not that voicemail from your CEO is legit. Is she really asking for key details about the company’s accounts, or did a scammer use a recording of her giving a presentation to generate a deepfake audio clip? Even worse, predictive writing AIs have gotten very good at adapting to your individual writing style. That’s great if you want to speed up your writing, but attackers can do the same thing. By analyzing your emails, they can leverage the AI to compose and send a message that matches your style, tone, and even grammatical quirks.
Cybersecurity’s just (another) brick in the wall
Cyber risk can be scary, but there are simple measures that can afford your business a great deal of protection and significantly reduce the likelihood or impact of these risks. Below are Coalition’s top three recommendations for businesses of any size to evaluate their risks and get started on cyber defenses:
- Have a layered cyber defense approach. No single control is 100% effective, so identify critical risks and ensure you have multiple controls to address them. Email phishing is a great example: layering together training and an email security service is a more robust defense than just offering employee training.
- Train your employees. Users are the single biggest target for exploitation because they can be manipulated via social engineering. Arming employees with knowledge and resources to spot social engineering, phishing, and other cyber misconduct gives you a vital line of defense.
- Check out Coalition’s Cybersecurity Guide for our Top 10 recommended cybersecurity controls and how to get started implementing them. We cover top threats based on the security incidents we see and give you easy guidance to get started on fixing them.
For more information on the types of security incidents, Coalition has seen, including the recent, dramatic rise of remote access tools being exploited, check out our H1 2021 Cyber Insurance Claims Report. We analyze the cyber incidents that lead to claims, including the attack vector and root cause. That gives you a starting point for building your cyber defenses and prioritizing work to mitigate these risks, leaving you (hopefully) singing happy instead of singing the blues.