Weekly Cyber Risk Roundup: New PoS Breaches and Simple Attacks

The week’s top trending event was the compromise at Freedom Hosting II, which has been estimated to host as much as 20 percent of active dark web sites. As a result, thousands of dark web sites were taken offline, and the stolen data has since been widely shared.

2017-02-12_ITT.pngSecurity researcher Troy Hunt, who reviewed some of the data, said that 381,000 email addresses were exposed along with a 2.2GB MySQL file that contained database backups of customers with “a very broad range of data from different systems.” Hunt added that “a significant amount” of that data is illegal. The hacker taking credit for the incident told Motherboard that the discovery of 10 sites hosting child pornography was the impetus for escalating the attack from read-only access to gaining system privileges, which was done using a 21-step process.

The other big news of late is the announcement of several new point-of-sale data breaches. InterContinental Hotels Group announced a point-of-sale breach affecting customers who used payment cards at the restaurants and bars of 12 properties, and fast-food chain Arby’s confirmed that malware was discovered on the payment systems of corporate locations. The incidents mirror the beginning of 2016, which saw similar breach announcement from Hyatt hotels and fast-food chain Wendy’s. The IGH breach is smaller than last year’s Hyatt announcement, which likely affected guests at 250 hotels, but the Arby’s breach may be comparable to the Wendy’s breach, which affected 1,025 locations.

More than 1,000 of the 3,300 total Arby’s restaurants are corporate owned; however, not every corporate location was affected, an Arby’s spokesperson said. Arby’s has yet to release official numbers or dates of the incident, but PSCU, a service organization that serves more than 800 credit unions, issued a non-public alert saying that more than 355,000 payment cards issued by PCSU member banks were compromised due to an incident at “a large fast food restaurant chain, yet to be announced to the public.” PCSU also estimated that the fast-food chain breach occurred between Oct. 25, 2016, and January 19, 2017.

2017-02-12_ittgroups

Other trending cybercrime events from the week include:

  • Polish financial regulator used to spread malware: A malicious actor compromised the internal systems of the Polish Financial Supervision Authority and used the financial regulator to spread malware to Polish banks. According to The Register, a modified JavaScript file likely resulted in visitors to the regulator’s site loading an external file that led to malicious payloads. A spokesperson said the regulator decided to take its entire system offline “in order to secure evidence.” Polish media have described the incident as the most serious attack ever on the Polish banking industry.
  • Extortion attacks continue: Taiwan brokerages are receiving DDoS extortion emails claiming to be from the group known as the “Armada Collective,” and several brokerages have reported DDoS attacks following those ransom demands. A malicious actor gained accessed to millions of messages and documents from the computer system of Doyen Global and leaked numerous emails from soccer star David Beckham after a failed blackmail attempt of “between €500,000 and a million.”
  • More government attacks: An attack against the Italian foreign ministry last spring compromised email communications for many months, but it did not affect the encrypted system used for classified communications. The Russian-linked APT 29 hacking group has been targeting Norwegian organizations with spear phishing emails. The attorney for Little Egg Harbor believes someone within the township is stealing data from the municipal computer systems and handing that confidential information over to a local political blogger. Hackers may have used stolen passwords to gain access to a Bureau of Consular Affairs email account that serves as a contact window to 117 Taiwanese overseas offices around the world. The former NSA contractor who faced charges in 2016 relating to the theft of 50 terabytes of highly sensitive data, allegedly stole more than 75 percent of the hacking tools belonging to the NSA’s elite hacking group known as the Tailored Access Operations.
  • Stolen and leaked databases: A database from the law enforcement forum PoliceOne was stolen in 2015 and the information of 700,000 members has been publicly distributed. A group of hackers claim to have a database of 20 million records stolen in 2014 from Bin Weevils, a British online children’s game owned by 55 Pixels. An actor using the name “zerodark70” is selling a database of 83,000 accounts from UPI.com, the website of the news agency United Press International. A large portion of the anti-piracy company Denuvo’s web database content is unsecured, and as a result information submitted via the company’s public contact form dating back to April 2014 has been posted online.
  • Other cybercrime announcements: A vulnerability in an October 2016 software update for the Michigan Data Automated System has exposed as many as 1.87 million Michigan workers’ information to a third-party vendor. UK sports retailer Sports Direct experienced a breach due to an attacker exploiting vulnerabilities in the unpatched version of the DNN platform the company was using to run a staff portal. Computer supplier Logic Supply announced there was unauthorized access to the company’s website on February 6, 2017. UK magazine publisher Future announced that its FileSilo website was breached. Singn and Arora Oncology Hematology in Michigan announced a data breach affecting 22,000 individuals.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-12_ittnew

Cyber Risk Trends From the Past Week

2017-02-12_riskscoresThe past week saw the continuation of several stories highlighted in recent risk reports.

For starters, malicious actors are exploiting the recently announced severe content injection vulnerability found in the WordPress REST API, which was fixed in the WordPress 4.7.2 update. At least twenty-four different campaigns are actively defacing WordPress sites. WordFence, which said that this is “one of the worst WordPress related vulnerabilities to emerge in some time,” reported that nearly 1.9 million defaced web pages have been indexed by Google as of February 10.

WordPress has an automatic update feature to protect against newly announced exploits being used by malicious actors, but a large number of websites appear to have disabled that feature and have not updated to version 4.7.2, which has been available since January 26.

As SurfWatch Labs continues to stress in blogs and articles, cyber threat intelligence clearly shows that the security threats are not as complex as some media and vendors make them out to be. Another example of simple but effective attacks is the growing number of organizations publicly tied to W-2 related breaches. Two weeks ago we wrote that the 2017 W-2 breach count had rose to 24 organizations. By last Friday that number had risen to 40. By Monday morning, it rose again to 48 – including school districts, colleges, healthcare organizations, manufacturers, payroll providers, restaurants, retailers and more.

IRS Commissioner John Koskinen warned that “this is one of the most dangerous email phishing scams we’ve seen in a long time.” These impersonation emails, also known as business email compromise scams, have proven to be effective, and they are costly for the organizations that fall victim to them. But they are not complex. They rely on three simple and straightforward aspects all good impersonators utilize:

  1. A simple backstory – The malicious actors utilize the built-in story of tax season.
  2. Appearing as though they belong – The emails matter-of-factly request information that is relevant to the payroll and human resource departments being targeted.
  3. Projecting authority – The requests appear to come from a higher-up such as a school superintendent or executive.

Many attacks that lead to data breaches are not sophisticated efforts carried out by actors using zero-day exploits; rather, they are opportunistic attacks leveraging public vulnerabilities and simple social engineering tactics. When it comes to managing cyber risk, ensure your organization can defend against these basic attacks before addressing more advanced – and often far less relevant – cyber threats.

W-2 Breach Count Hits 24, Rising Fast as More Organizations Get Phished

Tax season has begun, and with it comes renewed opportunity for cybercriminals to steal W-2 information in order to file fraudulent tax returns or sell employee data on the dark web. The past two weeks have seen at least 24 organizations publicly tied to W-2 data breaches — and more breach announcements will likely be made in the coming months.

The simple but effective phishing emails used by malicious actors mirror last year’s wave of successful W-2 thefts. The scammers impersonate an executive and use that authority, along with the timeliness of tax season, to dupe payroll and human resource employees into handing over entire rosters of W-2 information at once.

2017-02-02_W2Chatter.png
W-2 breaches and other tax-related cybercrime has peaked in the early part of the past few years, according to SurfWatch Labs’ cyber threat intelligence data, and it will likely peak again in early 2017. The spike in CyberFacts in May 2015 is largely attributed to the announcement of the theft of taxpayer information from the IRS’ “Get Transcript” service.

Numerous organizations have fallen for the ruse so far in 2017, including:

In addition to those organizations, Brian Krebs reported that an actor on the dark web is selling stolen W-2 information tied to more than 3,600 individuals. Information purchased by a source revealed data from Kirai Restaurant Group in Fort Lauderdale and an unnamed doctor’s office in Boca Raton. However, both of those organizations told Krebs that they used a third-party payroll management firm called The Payroll Professionals. That company said it is “aware of the potential hacking” but has yet to make a public announcement.

Altogether that means 24 distinct organizations have been tied to W-2 breaches so far this year, plus any additional clients that may be tied to the incident at The Payroll Professionals.

At least seven of the victims so far have been in the education group, and there have been reports of an even larger number of school districts being unsuccessfully targeted with similar phishing emails. This falls in line with trends from last year’s threat intelligence data.

2017-02-02_taxgroups2016
Education topped the list of industry groups publicly tied to W-2 breaches and other tax-related cybercrime in 2016, and schools are being heavily targeted once again in 2017.

The IRS issued an alert last week warning organizations to be on the lookout for these types of phishing scams, which may include requests in the email body such as:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The scam relies on tricking employees into emailing sensitive information. The best way to combat these types of threats is to ensure that employees are aware of ongoing phishing campaigns and that those employees are properly trained on the best ways to defend against social engineering.

Organizations should use a combination of user-awareness/education and anti-phishing tools to keep employees continually informed of evolving phishing campaigns and to have some mitigation and policy enforcement in place. By creating a culture where employees are encouraged to question unusual requests and confirm those requests via a secondary communications channel, organizations can greatly reduce the risk of employees falling for these types of scams.

Recent Campaigns Highlight Evolving Social Engineering Tactics

Over the past month, researchers have observed several new phishing campaigns that demonstrate a more sophisticated and targeted approach to social engineering by threat actors.

For example, on Monday Trustwave wrote about the Carbanak gang targeting the hospitality and restaurant sectors. The actors began the attack by using public tools such as LinkedIn to find the names of company department heads or other key employees. Then they called the organization’s customer service line and claim that they were having difficulties with the online registration system and ask to send the information via email. They would spend a significant amount of time on the phone with the employee — often dropping those researched names in order to build trust — until the employee eventually opened the malicious Word document attached in the email.

Finally, the organization would be infected with malware capable of stealing system information, taking desktop screenshots, and downloading additional tools such as point-of-sale malware.

Targeted Social Engineering Becomes Less Direct

Other threat actors are shifting towards similarly indirect paths of compromise — beginning their attacks with a message, or several messages, designed to build trust before attempting to cause harm. This is the case with recent business email compromise (BEC) scams, which the FBI has repeatedly warned is a growing problem for organizations.

“In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions,” SurfWatch Labs noted in a blog post about the FBI’s July alert. “The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.”

However, Symantec recently warned that BEC scams had shifted to a less urgent approach. Instead, most BEC scams now begin with a simple introductory message before requesting a fraudulent wire transfer, as this email exchange demonstrates:

2016-11-16_becEmail.png
An actor using an informal introduction before going on to a more traditional wire transfer request, as shown by Symantec.

In June, shortly before the FBI’s last BEC warning, just 20 percent of BEC emails began by inquiring about the recipient’s availability — with the rest directly requesting a wire transfer, according to Symantec. By October, 60 percent of the emails began with the more indirect approach of inquiring about the recipient’s availability.

A Look at SurfWatch Labs’ Threat Intelligence Data

Warnings of targeted attacks like the ones described above have led to spear phishing being the most common practice tag related to social engineering over the past 90 days, according to SurfWatch Labs’ data.

2016-11-16_socialengineering.png

A wide variety of industry groups have been tied to spear phishing threats over the period. However, the most talked about cybercrime stories of the past month may have been the hacking and publication of emails from the Democratic National Committee and Hillary Clinton’s campaign chairman John Podesta, as well as what role those breaches had in shaping the recent US presidential election.

2016-11-16_socialengineering2.png

In those cases, the leaks have been tied to spear phishing emails from Russian hacking group Fancy Bear, one of the most prominent hacking groups related to spear phishing over the past 90 days, behind only Peter Romar, a 37-year-old Syrian national who recently pled guilty to his role in the Syrian Electronic Army.

2016-11-16_socialengineering3

Those Fancy Bear attacks used a particular tactic: the use of shortened URLs. As Esquire’s Thoma Rid wrote explained, those shortened URLs both tricked users into clicking malicious links at an alarming rate and, ultimately, helped researchers uncover the actors behind those targeted attacks:

To manage so many short URLs, Fancy Bear had created an automated system that used a popular link-shortening service called Bitly. The spear-phishing emails worked well—one in seven victims revealed their passwords—but the hackers forgot to set two of their Bitly accounts to “private.” … Between October 2015 and May 2016, the hacking group used nine thousand links to attack about four thousand Gmail accounts, including targets in Ukraine, the Baltics, the United States, China, and Iran. … Among the group’s recent breaches were the German parliament, the Italian military, the Saudi foreign ministry, the email accounts of Philip Breedlove, Colin Powell, and John Podesta—Hillary Clinton’s campaign chairman—and, of course, the DNC.

These breaches highlight some of the ways in which social engineering has continued to affect organizations across all sectors and how new techniques are incorporated in order to make it harder for individuals to detect suspicious activity.

That’s why training and awareness is often touted as the most important and cost effective step in combating social engineering, as we noted in a prior social engineering blog. Having the proper tools and training, along with up-to-date threat intelligence to inform them of the latest threats, can help organizations and their employees provide a better front line of defense against the evolving techniques used by threat actors.

Fraudsters Exploit Hurricane Matthew to Create More Victims

Hurricane Matthew is over — having been officially downgraded on Sunday — and a clearer picture of the aftermath has begun to emerge. More than 1,000 people were killed by the hurricane, including at least 35 in the United States. Although the storm has moved out to sea, flooding continues here in the U.S., and in Haiti, which was hit hardest by the storm, officials are warning of the possibility of starvation and the spread of Cholera.

With the world’s attention focused on the natural disaster, cybercriminals are once again capitalizing on the devastation with a wave of phishing attacks and other scams. The South Carolina Emergency Management Division is warning Hurricane Matthew victims to be wary of any emails, phone calls and text messages — as well as scams impersonating one of the thousands of disaster workers expected to travel to the state.

US-CERT is also warning of deceptive donation requests that attempt to steal financial information from those who wish to help the victims.

HurricanePhishign.PNG
Alert from US-CERT

As US-CERT noted, this type of activity commonly occurs after natural disasters. Cybercriminals are always looking for new individuals to target, and national disasters provide a large bucket of concerned people that can potentially be exploited.

Similar warnings were issued following:

  • August flooding in Louisiana, which led to concern over fraudulent charity requests that attempt to steal personal and banking information or infect devices with malware.
  • The May wildfire in Alberta, Canada, which forced 90,000 people to evacuate and led to individuals impersonating evacuees and using fake websites and Go Fund Me pages to mimic disaster relief programs.
  • April floods in Texas, which FEMA warned would likely lead to scammers impersonating building contractors, FEMA employees, and volunteer groups in order to steal sensitive personal information.

“Fraud is an unfortunate reality in post-disaster environments,” said National Insurance Crime Bureau CEO Joe Wehrle in a press release warning of Hurricane Matthew rebuilding scams. “The last thing victims of disaster need is to be victimized again.”

As SurfWatch Labs noted earlier this year, social engineering is one of the most difficult problems related to cybersecurity. It’s also one of the most common tags in SurfWatch Labs’ cybercrime data.

2016-10-12_socialengineering
Email phishing remains the most common form of social engineering due to the ease of targeting a large number of potential victims.

Social engineers often use a few simple and effective tactics in order to dupe their victims. These include having a simple backstory, appearing as though they belong and projecting authority.

One of the reasons cybercriminals capitalize on events such as Hurricane Matthew is that it is very easy for them to use that trifecta of tactics. The natural disaster provides an instant backstory that is immediately understood by a large number of people. People are expecting to see a wide variety of victims and volunteers both seeking and offering help, so its easy for fraudsters to appear as though they belong. Victims are expecting to have to deal with authority figures, making it easy to impersonate government officials, insurance agents or other disaster workers.

Some tips to help stay safe when it comes to social engineering include.

  • Never click on links or open attachments unless you know who sent it and what it is. Malicious email attachments and links are among the most common ways for cybercriminals to spread malware and steal information.
  • Never reply to emails, text messages, or pop-ups that ask for personal information.
  • Cybercriminals may use a combination of fraudulent emails and phone numbers to increase their appearance of authority. Always verify that communication is valid by contacting the organization directly before providing any sensitive information.
  • If donating to a charity, make sure it is one you know and trust. The FTC recommends checking out charities via the Better Business Bureau’s (BBB) Wise Giving Alliance, Charity Navigator, Charity Watch or GuideStar.

Typosquatting: Easy Attack Vector That Produces Results

Every week here at SurfWatch Labs our team of threat analysts write about new vulnerabilities, malware developments and cyber-attacks.  One attack vector that is not mentioned very frequently but can be a significant threat for organizations and consumers alike is a technique called typosquatting.

Typosquatting is an attempt to trick users into thinking they have landed on their desired website, but in reality the user has landed on a website with a similar looking domain name that is controlled by cybercriminals. It’s an old technique, and security-conscious organizations often try to secure those domain variations that arise from typos.

However, a study last year described how companies remain vulnerable to typosquatting and found that most organizations do very little to protect their customers from the threat.

Key findings from the study:

  • Few trademark owners protect themselves against typosquatting by defensively registering typosquatting domains for their own domains.
  • The study found that 95% of the most popular 500 websites researched were targeted with typosquatting.
  • Hackers are increasingly targeting longer domains.
  • Some companies secure potential typosquatting domains but then choose not to renew them, leaving them vulnerable.

TypoSquatting Attack Example

A great example of a typosquatting attack was used against the popular online first-person shooter game Counter-Strike: Global Offensive. The hackers set up a convincing spoof, tricking gamers into believing they were on a legitimate site for the game. The fake site was listed as csgoloungcs.com, while the legitimate site is csgolounge.com.

Not only were visitors of the fake site tricked into sharing their login credentials, a Trojan downloader was pushed on them, leading to malware infections.

Another example found malicious actors taking advantage of the .om top level domain. Earlier this year, Netflix users who mistyped the address as netflix.om were redirected to a fake Flash update page.

Typosquatting is one example of the many opportunistic type of threats facing organizations. It doesn’t require sophisticated techniques, and it’s an easy way to leverage popular brands in order to entrap customers who aren’t aware of such scams.

Typosquatting scams can lead to a variety of consequences for users — from account takeover to identity theft — and those consequences can easily spill over to the organizations being impersonated in the form of disgruntled customers, bad press, or having to deny a breach when stolen credentials are put up for sale on the Dark Web.

All that trouble can be largely avoided by being vigilant about identifying common typographical mistakes related your organization’s domains and purchasing them to keep them out of malicious actors’ hands.

BEC Scams Continue to Plague Businesses

In a year where ransomware is receiving massive amounts of attention, there is another threat that continues to grow – Business Email Compromise (BEC) scams. The FBI has issued two warnings about this threat in 2016. The first warning was bad enough, with the FBI estimating BEC scams have accounted for about $2.3 billion is losses from 17,642 victims. Unfortunately, the latest warning has increased these figures.

The FBI is now saying that money lost from BEC scams is over $3 billion dollars, with more than 22,000 victims falling prey to this attack.

“The BEC scam continues to grow, evolve, and target businesses of all sizes,” the FBI warning read. “Since January 2015, there has been a 1,300% increase in identified exposed losses.”

The warning went on to say that victims of BEC scams have appeared in all 50 U.S. states as well as 100 countries throughout the world. Another noteworthy piece of information is where the money lost in these scams is ending up.

“Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” the alert read.

In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions. The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.

Money is the ultimate goal of a BEC scam. Many cases involve attempting to create a scenario where a money transfer takes place. The 2015 tax season demonstrated a new method for BEC scams — W-2 data theft.

Tax fraud was abundant in 2015. In many of these documented events, a BEC scam was used to compromise company W-2 information.

“Fraudulent requests are sent utilizing a business executive’s compromised email,” the FBI alert stated about BEC data theft scams.

“The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.”

The alert from the FBI pointed out that BEC scams aimed at obtaining data first appeared during the 2015 tax season.

Employees are the primary targets of BEC scams. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

What Can We Learn About Social Engineering From Impersonation?

With organizations losing billions of dollars due to business email compromise scams and thousands of employees having their W-2 information sent to criminals each week, it can be easy to think, “How can people be so dumb and keep falling for these same tricks?”

When it comes to socially engineering an employee, most people think of email phishing
— and last week we discussed some ways to defend against those threats — but I think the best way to truly understand those cyber threats is to first remove those technology aspects and look at one of the oldest cons around: impersonation.

I love a good impersonation story. Don a disguise. Create a good backstory. Trick some people into doing something they shouldn’t.

It makes for great drama.

Unsurprisingly, when researching how businesses are being compromised by social engineers, nearly all of my favorite examples involved the tactic. Impersonation stories are important because they highlight how simple and effective techniques can be used to lead to a major compromise at an organization.

For example, Christopher Hadnagy, CEO of Social Engineer, Inc., recounted on our social engineering podcast how two ticket-less fans were able to watch the Super Bowl from $25,000 seats by sneaking into the event with a group of first aid workers and then simply acting “super confident.”

Likewise, Chris Blow, a senior advisor at Rook Security, likes to pretend to be an exterminator to test a company’s security. In one instance, he was thwarted by a well-trained receptionist who noticed the con; however, all he had to do was drive around back and find more “helpful” employees — who then let him into sensitive areas where he could access a variety of valuable information.

They Literally Handed Him Their Money

My favorite social engineering story occurred decades before email became popular and everyone learned of the term “phishing.” It was done by conman turned FBI consultant Frank Abagnale, who claims to have duped dozens of individuals into handing him their businesses’ money simply by posing as a security guard.

As the story goes, Abagnale noticed how car rental companies would deposit their money in an airport drop box each night, so he bought a security guard outfit and put a sign over the drop box saying “Out of service, place deposits with security guard on duty.”

According to his autobiography, he stood there amazed as people handed him a total of $62,800.

You may hear that story and wonder why all of those people would trust some random guy with a sign. But is that any different than the cybersecurity pros today who are dumbfounded when a person gives their password to an “IT guy” over the phone? Or when an employee hands over their credentials because an email told them to do so?

Simple, effective scams work, have always worked, and when done in person by a skilled social engineer, can be even more effective.

Defending Against Social Engineering

What can we learn from these impersonators?

For one, social engineering is very effective, which is why the FBI and others are warning of a dramatic increase in business email compromise (BEC) scams. From October 2013 through February 2016, from just this one type of social engineering, there were more than $2.3 billion in losses across 17,600 victims.

Scam artists understand precisely how easy it can be to dupe people, and the same techniques are used in social engineering via phishing and phone. The story above is one of my favorites because Abagnale combines three of those common tactics in one scam: a simple backstory, appearing as though he belongs, and projecting authority.

  1. A Simple Backstory — Whether in person, over the phone or via email, scammers will have all sorts of stories that prey on people’s desire to help. Those handling sensitive information such as W-2 information should always be skeptical about who and why they are sharing that information, but that is often not enough. Having clear policies for employees to fall back and procedures for sharing sensitive information on can help ensure an employee does not get duped due to their desire to be helpful.
  2. Appearing as Though They Belong — As the FBI noted in a BEC warning, it’s important to know the habits of customers, coworkers and vendors and to beware of any significant changes. A person may appear as though they belong by impersonating those who have legitimate access. In some BEC attacks, the malicious actors compromised email accounts and waited for weeks or months to learn the communication habits before attempting their scam. Employees should be encouraged to report any suspicious activity and be continuously trained so that the front line of defense is armed to look out for the latest and most relevant social engineering threats.
  3. Projecting Authority The impersonation of authority figures is a large reason for the billions of dollars being lost to these social engineering scams. Just because a call or email appears to come from the CEO or other figure, be wary of any attempts to disclose data or gain access. Authenticating important requests through several channels such as both email and phone can help to prevent many social engineering attempts.

People want to be helpful. They tend to trust others. Good social engineers exploit those tendencies. The influx of technology has only expanded the reach of scam artists; the techniques remain the same. If an organization and its employees understand why social engineering works, then it’s much easier to combat some of those common tactics and keep the business safe.