Social engineering attacks leverage the natural weaknesses of human psychology to reach restricted data and systems by impersonating someone with legitimate access. It is in our nature to want to help someone who makes a polite and seemingly well-intentioned request; to get them out of trouble and to save their day. We base our trust in the message, in attributes that are sometimes easy to fake; like email addresses, graphical signature components, caller IDs displayed on a phone’s screen, or company stationery on which a letter is printed.
On top of that, we tend to feel awkward having to confront someone and showing our distrust. This is especially true when that someone seems to be higher up in the organization’s hierarchy, and if we think they could potentially retaliate if we don’t just let them go about their day. Another common factor is time pressure. The more urgency and stress accompany a request, the less time we have for consideration, and the more our judgement is impacted by rushing.
As companies were thrust into remote working almost overnight, many internal processes, that would normally have involved a face to face conversation, have moved online, with little consideration for security.
The banking details amendment process is one of them. It allows employees to notify their employer of a change in the bank account to which they’d like their salary to be wired to. Back in the pre-pandemic days, such processes could have involved a written and signed form, or even a personal visit to the HR or Finance Department.
Therefore, in such cases there were already multiple layers of security controls reducing the risk of fraud. If someone wanted to impersonate an employee to scam the company, they would have to gain physical access to the office, research the process for banking details amendment, risk being recognized as an imposter by staff throughout the operation, and risk being recorded on CCTV. With remote working in place, a simple, well-formatted email sent to the right inbox is often all it takes for a salary to end up in a fraudster’s account.
Another way that attackers exploit the current chaos is by targeting VPN access that companies have set up to support remote working. With little time to do proper technical setup, let alone user training, many organizations have ramped up VPN utilization. This has caused helpdesks to be flooded with calls from frustrated users, trying to urgently set up or restore access. By simply calling the helpdesk and pretending to be an employee, criminals can trick your support staff into bypassing many procedural and technical measures that were put in place to prevent unauthorized VPN use.
For example, you may require a physical token to connect, one that would normally be given out to the colleague by their Line Manager. How do you adapt the process to still verify the recipient’s identity now that you have to send it by courier mail?
These types of attacks are notoriously effective and difficult to prevent purely by using technical measures. As long as security controls rely on humans, prone to manipulation by attackers; social engineering attacks will succeed, bringing losses in money, reputation, and staff morale.
We believe there are four components to the solution which, applied together, help reduce the risk.
The first is training and awareness. Organizations that teach staff about these dangers and provide engaging, informative content to make the learning experience seamless and fun, tend to see a reduction in successful attacks. Employees are better equipped to spot malicious attempts.
The second factor is security culture. Organizations can protect themselves by making security everyone’s responsibility and by fostering an environment where double-checking the validity of someone’s request, regardless of seniority, is seen as being prudent, rather than obtrusive.
The third is risk-based business process design. Making sure that crucial security checks are embedded into the ways business tasks are accomplished and adapted to changes in circumstances, such as shift towards remote work.
The fourth and final component is automation. By removing the human from the process, we can eliminate its susceptibility to social engineering altogether.
Along with a thorough security audit, we can help build a complete picture of your social engineering readiness. Then, our security specialists can help you develop all four components of an effective social engineering response strategy: an awareness program, a cultural shift, a redesign of crucial processes, and an automation initiative.
Establish and introduce the strategy with Lingaro to safeguard your organization during the times of the pandemic and beyond.