You walk into the office on Monday morning, and the first thing your colleague says is;
“Did the password I sent you this weekend work to get into the accounting files?”
You have absolutely no clue what they’re talking about, so you look at them in confusion. Your colleague goes on to say,
“The password? The one you emailed and asked me to send you Saturday afternoon?”
Just as before, you have no idea what your colleague is talking about. This is about the time you start Google searching phrases like:
- “How to know if my email account has been hacked?”
- “What to do if my email account has been hacked?”
You’re stating to realize that your email has been hacked, or your co-worker has been phished, and your company has been a victim of a social engineering attack. Unfortunately, these kinds of scenarios are more and more common. Malicious actors looking to harm your business have determined that employees are the weakest link in your cyber security strategy.
They may email an employee from your email after they’ve gained access, or from an email very similar to yours (this is called a look-a-like attack), asking this employee for access or the password to very sensitive information. They try to get your employee to react with urgency by saying something along the lines of “I need access to the database to gather some information needed to close out an important project that’s due today!” Your employee responds very quickly, thinking they are just being a good team player. However, this quick action could have just caused significant damage to your brand reputation, client information, trade secrets, finances, and more.
What is Social Engineering?
Social Engineering is a malicious practice used to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. These attacks are focused on gaining access to email accounts, cloud services, file shares, and to gain remote access to networks. They do it to make money, by stealing data and holding it ransom, by impersonating you and your staff, and by accessing sites in your name. These attackers have learned that traditional “hacking” takes a lot of knowledge and work – plus they’re up against well funded multinational software and security firms.
As with any kind of risk in your business, the first step is to raise your awareness and then to train your staff about the risks inherent in sharing too much information.
Types of Social Engineering
Phishing Attacks are when a malicious email arrives in your mailbox pretending to be from a well-known and reliable source. Often these emails will look legitimate and are trying to convince you that you need to visit a website to update your account information. This secondary website often looks very convincing and will capture any information you enter so that the attackers can use that against you in the future. Often you can identify these phishing emails because they have made simple mistakes, ie. A general rule of thumb is that any changes to payment details should be confirmed by a secondary method like a phone call direct to your client contact.
An online diversion theft scheme involves misleading the victim into emailing or sharing personal information with the wrong person in order to obtain sensitive information. Scammers may pretend to be your accounting or IT firm in many cases. We’ve seen many versions of this kind of attack where the bad actors will register a similar domain name but with one different letter so that at first glance it looks like a match. Again, it is important to be vigilant and compare writing styles, grammar, domains, and confirm by phone if you’re suspicious.
Baiting is similar to phishing in many respects. The distinction is that baiting entices victims by promising an item or good. Baiting efforts, for example, may employ the offer of a gift card or concert ticket to deceive people into giving up their log in information. We also see these with malicious attachments that are made to look like an RFP package or request. When you open the document there might be a link to a malicious site, or the document may ask for a password and this is how they will trick you into sharing personal data.
Vishing is becoming more common as well and uses many of the similar tactics but is done with phone calls instead of email. The attackers will use the phone calls to collect information about you and your company – knowing things like when someone has taken a holiday, who they work with for approvals, and even who their other partners are can all be used to build a more convincing attack. The information gained through the phone calls will often be used to craft the email and this is when Phishing turns into Spear Phishing, which is just much more targeted and convincing.
These are just a few of the many types of social engineering scams. Hackers are getting more creative with how they try to gain access to your accounts. If you are not 100% confident that your business and its resources are protected, give us a call or send us an email to discuss how we can help protect your business and its resources.
Social Engineering Real World Examples
MacEwan University Scammed out of $11 million
The University was undergoing significant construction and the team at MacEwan received an email request to change the payment account for one of the contractors. Unfortunately, the staff failed to verify the legitimacy of this request and MacEwan University was defrauded of $11.8 million in 2017. Luckily for the University, much of these funds were later recovered, but it exposed a weakness in their procedures and brought them into the national spotlight for all the wrong reasons.
Google & Facebook Scammed out $100 million
Between 2013 and 2015, a man named Rimasauskas and his team set up a fake company that impersonated Quanta Computer, who regularly did business with Facebook and Google. They would phone their targets regularly to gather as much information about their contacts, roles, and processes as possible. The scammers then sent phishing emails to very specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided, directing them to deposit money into their fraudulent accounts.
Ultimately, Rimasauskas and his associates conned the two tech giants out of over $100 million – a significant sum by any measure! The law caught up with him and he eventually pleaded guilty, had to return $50 million, and was sentenced to 5 years in jail.
Grandparents Scammed Out of Thousands
On a more personal note, the Edmonton Police Service have received dozens of reports of fraudulent phone calls received by area grandparents stating that the caller was a grandchild and had been arrested, or was in an accident and needed money urgently. Unfortunately, these grandparents were duped out of thousands of dollars simply because they wanted to help a family member and didn’t have a way to verify the caller, were pressured into a bad situation, and just weren’t aware that someone would take advantage of them in this way. These local scammers got away with at least $25,000 and we can be sure there are many more cases that weren’t reported at all. The lesson here is to always be vigilant and verify the caller through another method.
Yes, these attacks can be scary for business owners and managers. So it is imperative that you train your staff to spot and avoid these kinds of attacks. Working with a skilled and experienced team like Tier 3 IT Solutions can put your business on the right track to protect your information and data. If you’re ready to improve the cyber and information security in your business, visit our website or give us a call or contact us to discuss further.