Social Engineering – Security’s Big Problem and How to Fight Back

Pick any recent data breach. It could be a high-profile one or one of the many that never make national headlines. If we were to follow the string of events back to the beginning of that compromise, what would we find?

Chances are, it’s an employee getting duped by a cybercriminal.

In fact, one could make the case that social engineering is the single biggest issue facing organizations when it comes to cybersecurity. No matter how big of a fortress you build, all it takes is one employee to open the gate and let the bad guys walk into the heart of a business.

One of my favorite cartoons sums up the issue facing businesses:

Source: John Klossner

With all of the recent W-2 breaches in the news this year, I’ve been thinking once again about the issue of social engineering. What can businesses do? It seems every article I read only points out the problem and then makes vague references to “awareness.”

In 2015 SurfWatch Labs interviewed a variety of people to try to get to the heart of that question, and I think it’s a good idea to revisit that conversation eight months later. After all, it is a problem that will never go away.

Essentially, everyone agrees that a three-pronged approach is the key to limiting the success of cybercriminals using social engineering tactics:

  1. Use technology and tools to limit the exposure to social engineering
  2. Train employees so those social engineering attempts that do get through are less successful
  3. Realize that even the best trained organizations aren’t perfect, so have tools and a response plan in place to limit the potential damage

Let’s briefly expand on the first two points about prevention.

Limiting Exposure to Social Engineering

Technology is getting better at limiting users’ exposure. Take email as an example. In 2006 about 30 percent of an average Hotmail user’s inbox was spam — a huge problem. By 2012 that number was down to 3 percent. In July 2015, Google released its latest numbers, and less than 0.1 percent of the average Gmail inbox was spam.

The less malicious activity that gets through an organization, the less potential there is for an employee to make a mistake. There are several ways an organization can go about this goal, as have been outlined by many groups and organizations dedicated to fighting social engineering such as the Anti-Phishing Working Group.

Some best practices specific to phishing include:

  • Filtering and endpoint technologies – Filtering technologies are great at catching high-volume, low customization spam. Endpoint solutions can also combat things like malicious attachments.
  • Blocking images, links, and attachments – Disabling images and links in emails from untrusted senders can help users identify legitimate emails and prevent employees from clicking malicious links. Disabling Microsoft Office macros from Internet-obtained documents can help block a common attack vector that has led to many recent data breaches.
  • Web traffic filtering – There are many websites that are known to steal user credentials. These phishing websites are often collected into lists by both commercial vendors and free services like PhishTank. Blocking access to these sites can limit the opportunity for users to fall victim to social engineering.

Some other areas that can be useful in preventing social engineering include:

  • Authentication – Malicious actors will often impersonate others outside of email, so it is important to have strong ways to authenticate users.
  • Physical security – Physical security limits the ability for unauthorized individuals to access areas, eavesdrop on conversations, and use baiting (like dropping a malware-loaded USB stick). The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.

Training Employees and Raising Awareness

Even with security technology in place, employees will still make mistakes. Security company RSA learned this in 2011 when a phishing email targeting four low-level employees was caught by a filter and placed in their junk folders; however, one of the employees enticed by headline — “2011 Recruitment plan.xls” — retrieved it from the folder and opened the attachment, leading to a compromise that cost the company $66.3 million.

That is why training and awareness is often touted as the most important and cost effective step in combating social engineering. According to the 2016 Verizon Data Breach Investigations Report, 30% of phishing messages were opened and 12% went on to click the malicious attachment. And in 2016 phishing is on the rise, according to SurfWatch Labs data. Additionally, a recent Ponemon Institute study examining six proof of concept studies found that phishing training led to employee click rates being reduced between 26-99%.

This lead Ponemon to conclude, “Assuming a net improvement of 47.75%, we estimate a cost savings of $1.80 million or $188.40 per employee [for the average organization].”

Some of the do’s and don’ts of a good security training program include:

Social engineering is one of the biggest cyber threats facing organizations; however, many businesses devote relatively few resources to addressing this problem. Implementing  technology and tools to limit the exposure to social engineering and training employees may be the most cost effective way for many organizations to significantly improve their cyber risk.

W-2 Data Breaches Were Abundant During 2015 Tax Season

The 2015 tax season has ended, signaling a potential break in the number of tax-related data breaches we read about in the news. The list of companies suffering from these cyber-attacks seemed to grow weekly and nearly 100 companies have been publicly tied to W-2-related breaches in 2016. SurfWatch Labs collected a multitude of CyberFacts pertaining to W-2 and tax data breaches during the 2015 tax season.

2016-04-25_Tax_groups
Tax-related cybercrime impacted companies across a wide variety of industry groups in 2016.

The IRS, predictably, has the most CyberFacts related to tax and W-2 cybercrime in 2016. The IRS has suffered massive data breaches within the last year. In 2015, the IRS exposed 700,000 taxpayer accounts through its “Get Transcript” service. Last February, the IRS was breached again, with more than 100,000 stolen Social Security Numbers used to successfully access an E-file PIN. Events like these have lead to predictions that the IRS will lose $21 billion to cyber fraud and fake tax returns in 2016.

Surprisingly, the group Higher Education also received a lot of discussion, with the high profile W-2 data breach at the University of Virginia leading the way in terms is discussion.

2016-04-25_tax_itt
The chart above lists the top trending organizations pertaining to tax and W-2 cybercrime for the most talked about industry groups. The IRS garnered the most discussion of any organization. 

IRS and FBI Release Warnings About Tax Fraud

In March, the IRS released an alert about tax fraud which described various methods used by criminals to obtain W-2 and tax information. The alert provided information on several areas individuals and organizations leave themselves vulnerable to compromise:

Abusive Return Preparer
Taxpayers should be very careful when choosing a tax preparer. While most preparers provide excellent service to their clients, a few unscrupulous return preparers file false and fraudulent tax returns and ultimately defraud their clients. It is important to know that even if someone else prepares your return, you are ultimately responsible for all the information on the tax return.”

Abusive Tax Schemes
“Abusive tax scheme originally took the structure of fraudulent domestic and foreign trust arrangements. However, these schemes have evolved into sophisticated arrangements to give the appearance that taxpayers are not in control of their money. However, the taxpayers receive their funds through debit/credit cards or fictitious loans. These schemes often involve offshore banking and sometimes establish scam corporations or entities.”

Nonfiler Enforcement
“There have always been individuals who, for a variety of reasons, argue taxes are voluntary or illegal.  The courts have repeatedly rejected their arguments as frivolous and routinely impose financial penalties for raising such frivolous arguments.  Take the time to learn the truth about frivolous tax arguments.”

The FBI also released a warning in March related to the rise of Business Email Compromise (BEC) scams targeting businesses and individuals within organizations. BEC scams have gained notoriety for defrauding organizations out of money. However, BEC scams can also be used to obtain information from organizations — including W-2 and tax information.

“Based on complaint data submitted to IC3, B.E.C. victims recently reported receiving fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information prior to a traditional BEC incident,” the warning read.

A “traditional” BEC attack starts with a fraudulent request that is sent utilizing a high-ranking executives spoofed email. In this case, the email is sent to a member of an organization who handles employee W-2 and tax information. The email will appear to be an urgent message requesting all employee W-2 information.

This is what happened at Sprouts Farmers Market, which is facing a class action lawsuit after an employee fell for a BEC scam and forwarded W-2 information on all 21,000 of the company’s employees to a malicious actor.

Protecting Yourself From Tax Fraud

One of the biggest vulnerabilities we face concerning our data is that it is handled by other human beings. Humans make mistakes, and cybercriminals capitalize on this. Since corporations cannot guarantee your data will be safe in their hands, you must remain vigilant and prepare yourself for the possibility that your tax information could be stolen.

Here are a few tips on protecting yourself from tax fraud in 2016:

File Your Taxes Early: The early bird gets the worm; this also rings true when filing tax returns. If you file your tax return before a criminal does you’re in a much better position, as the tax return will already be marked as filed, preventing anyone else from filing a tax return with your credentials.

Avoid Password Reuse: Poor password management is one of the leading problems in cybersecurity. Remembering passwords can be cumbersome, so we do what is in our nature — we take shortcuts. Unfortunately, taking shortcuts on password management can lead to many problems. Employees have historically been shown to use the same password across several accounts, which could leave an organization vulnerable to compromise. In this scenario, a cybercriminal could obtain an employee’s login credentials from another site (Facebook is a good example) and use it to log into several accounts — even the employee’s account within an organization. Make sure employees are aware of the problems with password reuse. Also, make sure passwords are utilizing capitalization, numbers, symbols and are at least 8 characters long. Organizations can take this one step further and enable two-factor authentication, which would require an additional login step before employees, or malicious actors, could access accounts.

Educate Employees About BEC Scams: Employees are one of the primary targets in tax fraud. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Deploy Security: While there are plenty of examples that show security tools are not a 100% guarantee of protection, features such as firewalls and antivirus software are paramount when it comes to securing your data. It is also important to make sure these tools and other software — such as your operating system — are current on updates. The latest updates could provide patches to vulnerabilities in older versions of the software.

Gone Phishing in Q1 2016

We’re already a quarter of the way through 2016, and a clear trend is the rise of social engineering. Based on the cyber event data that we’ve collected, roughly 25% of all targets can be tied to a social engineering attack. This is the highest percent we’ve seen since the beginning of 2015, and over the last 6 months the share of social engineering attacks have doubled.

2016-04-04_ITT_socialengineering

Just a few examples of common social engineering practices include:

  • Phone calls from a “Microsoft customer support representative” who needs remote access to your computer to fix an issue
  • Leaving an infected USB stick in a parking lot that when found and inserted into a computer by an unsuspecting person, malware/spyware is dropped onto the machine

However, the largest percentage of social engineering attacks (25%+) revolve around different types of phishing. While email is the most common delivery method, phishing attempts are made through text messages, Facebook, etc.

Over the weekend I received several phishing emails from individuals I know. These emails weren’t spoofed to make it look like they were coming from people I know, but actually sent from their email accounts without their knowledge.

The emails were both related to a “signed document” that needed my attention — except I had no previous knowledge any e-docs to sign should be coming my way. Of course, that’s because they should not have been coming at all.

Having been in the security industry as long as I have, I am cautious (or some would say paranoid) — especially compared to friends and family who say they “get it,” but don’t really. Even still, these emails came from legit addresses from people within my circle, and the content within the emails also looked reasonable. Luckily, I knew better, but many don’t.

Here are some quick security tips to consider when it comes to phishing attacks:

  1. Watch out for spoofed email addresses. Confirm the sender of the email is an address you recognize/know. Don’t just check the name in the “From” field, but actually look at the email address. This tip would not have made a difference in the instance above, but it is still a good way to catch a phishing email.
  2. Do not blindly trust links within an email. Banks and credit cards are usually pretty good about directing you to type in the url to go to their homepage and how to navigate to a specific place if necessary, as opposed to including links in their communications to you. This is a good practice to follow with any emails that include links. In my situation the links sent looked like DocuSign links, with familiar DocuSign branding and all. But it was missing the security code. Links can also be spoofed, so make sure you know what it is you are clicking on before you click.
  3. If you have any questions, pick up the phone. Is a vendor asking you to provide information or is a contact of yours asking you to click on a link? Questioning it is good. Call the vendor or individual and have them confirm.

Social engineering is one of the trickiest types of attacks to prevent because it plays on human nature and less on technology. Looking at the intel so far in 2016, the bad guys are going back to a tried and true method for gaining access to sensitive information. Be aware and think before you click.