By Edwin Doyle, Global Cyber Security Strategist, Check Point Software.
This social engineering 101 tale of woe could happen within any organization, including those that maintain cyber security awareness and education programs. Avoid falling for this kind of scam and be sure to share these insights with your employees and peers.
The illusion of legitimacy
In 2020, a well-known firm’s employee received an email from a vendor stating that, due to COVID-19, the vendor would no longer accept paper checks. Instead, the vendor suggested a wire transfer. The amount due was $900,000.
Because this was a substantial request, the employee moved to carefully verify the information. Upon seeing the info in the system, it appeared true – the company did owe the vendor the requisite sum.
The illusion of legitimacy also stemmed from the fact that an email thread with this vendor had been in continuation for months. The vendor’s email address checked out.
Because the employee had never actually spoken to the vendor, the employee decided to give the vendor a call. The call recipient confirmed that because everyone was working from home, they were no longer engaged in regular banking activities; thus the request for a new means of payment.
Initially, everything checked out. But days later, everyone realized the scam.
Given that the employee did correctly follow appropriate procedures in verifying the legitimacy of the vendor, how could the employee have spotted this scam ahead of time?
Don’t trust, always verify
The “don’t trust, always verify” axiom seems to fall short in cases like the one above – until you look more closely and see that the employee called the vendor on the phone number provided in the fraudulent email.
As it turns out, the scammers had accessed the vendor’s inbox and provided the employee with a fake phone number to call. In verifying the authenticity of requests, especially those involving financial resources, always call the phone number listed in your organization’s vendor management system.
On a related note, should you receive an email requesting for your organization to “update” or change any information within your vendor management system, verify the legitimacy of the request through all possible avenues ahead of actually making the changes.
Social engineering 101
Ninety-eight percent of cyber attacks rely on social engineering. Humans are easy to manipulate, as humans naturally want to be helpful. In the workplace, people are often exceptionally altruistic, kind, obedient and eager to move projects forward. This makes social engineering simple for hackers.
Cyber threat actors have found that digitally hacking a human is an efficient way to hack an enterprise. Nonetheless, there are ways to protect yourself, your colleagues and your organization when it comes to social engineering.
Social engineering survival tips:
- Slow down. The employee in the social engineering 101 story took the time to verify information; looking at the data in a company system, the email sender’s address, and taking the time to call the vendor. These steps can protect you and your organization from basic forms of digital fraud.
- Identity verification. Ensure that the individual with whom you’re in contact is indeed who they purport to be. Email hijacking is relatively common. In the event that you receive a request that comes from a familiar person or vendor, call the sender using the contact info in your company’s database. For extra security, schedule a brief virtual face-to-face call with both the person in question and someone within your organization who has interacted with them previously.
- Email security software. Ensure that your organization uses effective email security software. While you may not have control over this personally, you can always inquire about it with your IT team, and ask about the extent to which the software filters out malicious emails and/or protects you from certain kinds of fraud.
Social engineering 101: Further thoughts
It is only a matter of time before you or your colleagues are targeted by sophisticated social engineers. One of the best means of protecting your people, processes and technologies includes regular end-user training and the dissemination of awareness information. Be sure to share this article with those who need to help defend your organization against the next wave of super savvy social engineers.
Did you like this social engineering 101 piece? For more cyber security awareness insights, see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.