Joe Ferrara stresses that organisations need to continuously assess, train, reinforce the security message, and check how much users have learnt regarding social engineering threats.
As infosec professionals seek more effective technical safeguards to guard against cyber-attacks, it's important to consider the decidedly non-technical tools that cyber-criminals are using to infiltrate networks and obtain data and access. With the dramatic increase in the number of avenues available to obtain personal details about employees at all organisational levels, it is much easier to lay the groundwork for a convincing attack. Social media — at its very core a medium that is rooted in sharing personal and professional data — has become a staple for cyber-criminals because it offers a virtual treasure trove of readily accessible information. Attackers can quickly and easily create profiles of their targets to exponentially advance the believability of phishing emails, smishing (SMS/text phishing) messages, and vishing (voice phishing) calls.
BEC Attacks: A Perfect Storm of Social Media and Social Engineering
Business email compromise (BEC) — also known as email account compromise (EAC) — is the surest example of the success cyber-criminals are having at applying publicly available information to social engineering scams.
BEC/EAC attacks generally target multinational organisations, with cyber-criminals exploiting employees who are likely to have clearance to send wire transfer payments. Social media and online channels are used to identify targets, and social engineering attacks are used to gather information or facilitate access. In most cases, attackers impersonate executives (often CEOs or CFOs) or other trusted figures (solicitors, controllers, or suppliers) via a spoofed email during the final attack phase. Relationships are often established over time to build trust, with the ultimate goal being to convince targeted employees to complete a fund transfer.
BEC/EAC attacks have become lucrative for cyber-criminals worldwide. The Federal Bureau of Investigation (FBI) in the US released a public service announcement in early May that revealed sobering statistics:
What is likely frustrating infosec teams is that, despite increased media coverage about BEC/EAC threats, these attacks only grow. That's because awareness alone cannot change end-user behaviours. One simple reason is because these attacks take advantage of fundamental processes and power structures. We are not conditioned to say “no” to authority figures, particularly in a work setting. When employees think the CFO, CEO, or other powerful stakeholder is making a request, they are likely to comply and wire funds to an attacker's account. Unfortunately, once transferred, the funds are quickly moved and often never recovered.
Mitigating the Threat through End-User Education
To effectively guard against BEC/EAC and other cyber-attacks, organisations must go beyond awareness initiatives and help end users actually make good security decisions and improve their cyber-hygiene. Beyond the rates of successful attacks, there are other clear indicators that employees do not have a good grasp of fundamental cyber-security principles — including posting to social channels. Safe use of social media was the top knowledge gap identified in Wombat Security's 2016 Beyond the Phish Report, with end users missing more than 30 percent of questions asked about this topic. And a recent survey of 2,000 working adults — 1,000 in the UK and 1,000 in the US — for Wombat's 2017 User Risk Report found that 25 percent of UK respondents and 57 percent of US respondents believe that social media business pages are approved by Facebook, Instagram, et al, prior to being published.
It is an unfortunate truth that widespread use of applications like Facebook, LinkedIn, and Google lure users in, making them feel safe when sharing and clicking. Cyber-criminals use this to their advantage, regularly mining these platforms for data. End users don't understand that oversharing on these channels can compromise more than their reputation. As cautioned in an April 2017 New York Times article, the recent “10 Concerts” meme (and countless others before and since) seem harmless, but can reveal answers to the “secret questions” websites pose to confirm the identity of online users.
The more connected we become, the more important it is for organisations ensure that end users clearly understand how to protect corporate and personal data. Many enterprises will invest in expensive security infrastructure, only to be breached by an employee sharing information freely on social media or clicking a phishing email. Because social engineering threats are only successful if users fall into the trap, organisations must prioritise end-user risk management. The best way to do that is to deliver ongoing, in-depth security awareness and training: assessing knowledge levels, educating on key topics, reinforcing the message, and evaluating how much users have learned. So, the moral of the story here is, education is key.
Contributed by Joe Ferrara, president and CEO, Wombat Security Technologies