06 Aug How To Safeguard Against Social Engineering Hacks
There’s an action movie caricature that often comes to mind when people hear the word “hacker”: A black-clad figure sits in a dark room, drenched in the pale blue light of five huge monitors. The figure types furiously, fighting through layer after layer of security. Dozens of dialogue boxes flash red and read, “ACCESS DENIED,” but the hacker just types faster and faster. Then, suddenly, the red boxes go green: “ACCESS GRANTED.”
This image is ridiculous on every level, but there’s one aspect I’d like to focus on: the notion that cybercrime is always a solitary, hacker-versus-machine enterprise. In the vast majority of cases, cybercriminals engage directly with human beings in an attempt to get them to divulge sensitive information, send money, or compromise themselves or their organizations in some other way. In the world of digital security, this is often referred to as social engineering, and it’s one of the most effective tools cybercriminals have.
Preventing Business Email Compromise (BEC)
Imagine a hacker infiltrating a CEO’s email account. After weeks or even months of surveillance (as the hacker learns about everything from the CEO’s usual salutations to personal details to textual idiosyncrasies), he sends the company controller, Rob, an email: “Hey Rob, I just got a call from Janet Smith, our point of contact at BigDudes Sporting Goods. Looks like they didn’t get our check, so they’re withholding that shipment we talked about last week. I need you to transfer the money ASAP. I’m attaching the amount, wire details, etc. I know you have a class tonight, but you need to get this done before you leave.”
Because the hacker uses familiar language and makes personal references, the controller assumes the email is legitimate and transfers the money. Little does he know, the whole thing was a scam and the money will soon be on its way to a foreign bank.
This is what’s known as business email compromise (BEC). According to the FBI, there were almost 80,000 incidents of BEC between October 2013 and May 2018, costing companies more than $12.5 billion. From December 2016 to May 2018, there was a 136% increase in losses incurred as a result of BEC attacks. If you asked the average person to name the most significant digital security threats, you can be almost certain that something like ransomware — which, according to the FBI, resulted in around $2.3 million in losses in 2017 — would make the list. But how many people know about BEC, which cost $675 million in the same year?
There are several ways to prevent BEC. First, make sure to use multifactor authentication (MFA), which verifies the identity of anyone trying to access important data by demanding multiple forms of evidence as to who they are. Second, don’t rely on forms of MFA that just use an SMS code — these can be hacked as well. Instead, use a secure MFA tool like Microsoft Authenticator. And third, whenever you’re asked to transfer money or confidential information, never assume that an email is legitimate. Pick up the phone and call the person who issued the request, preferably on his or her internal desk phone, as mobile devices can be compromised. Or better yet, if at all possible, confirm in person.
Spotting Spoof Extortion Attempts
While some cybercriminals exploit trust, others exploit fear. Picture opening your email inbox and seeing a subject heading like this: “I’m watching you.” After nervously clicking on the message, you’re told that a hacker has full access to your computer. He claims to have access to all of the contents of your hard drive and even has a collection of humiliating webcam videos.
You also see that the email was sent from your own account, which makes the other claims suddenly seem a lot more plausible. The hacker tells you he has a list of your contacts, and he threatens to send them a library of embarrassing material if you don’t provide $1,000 in Bitcoin.
Last year, the FBI reported that it had “recently received an increase in reports about extortion attempts received via e-mail and postal mail and using specific user information to add authenticity.” Many of these attacks are forms of “sextortion,” in which hackers threaten to publish revealing photos and videos or expose the victim’s history of pornography use. In some cases, the hacker demands nude photos and other obscene material instead of money. Young internet users are especially vulnerable to this form of exploitation, as they’re less inclined to doubt the claims of the attacker or seek help. This is why the work of organizations like Thorn, which combats sextortion against children by working with law enforcement agencies and raising awareness about the issue, is so crucial.
In the vast majority of these cases, the attacker doesn’t have access to the victim’s web history, photos and videos or anything else. He just wants to terrify the victim into compliance. While most people don’t respond to threats like these, hackers can send them to millions of people, which guarantees that they’ll get a few hits. And after the series of major data breaches at companies like Yahoo, Equifax and Marriott, there’s a massive influx of personal information floating around on the open internet. Hackers can leverage this information to convince people that they have access to far more material than they really do.
These are all reasons why the number of spoof email scams is rapidly increasing, but there’s no reason why anyone should fall for them. Let’s start with the threatening email that was allegedly sent from your own account — all you have to do is check the email headers to see where the message actually originated.
The heightened awareness of cybercrime has opened up the space for a conversation about how hackers use social engineering to lure victims into their schemes. By understanding their tactics and goals, we can develop simple and powerful defense mechanisms that will save millions of dollars and eliminate a whole lot of pointless anxiety.
This article originally appeared on Forbes.com on May 2, 2019.