Business PsyOps - Social Engineering Fraud

Posted May 21st, 2018 in sme, insurance, cyber insurance
As small and medium businesses hustle to improve their cyber security and protect themselves against the potential impacts such as loss of customers and revenue, fines, legal costs and reputational damage, cyber criminals are increasingly broadening their attacks from system hacking to people hacking via Social Engineering. 

MANY NAMES AND ADAPTIVE TACTICS

Social Engineering Fraud, Business Email Compromise, CEO Fraud, Imposter email, there are lots of names, but the premise is the same. Employees are contacted by criminals who use sophisticated tactics to impersonate a trusted party or person.

They then use emotional triggers to elicit an action by the employee which usually results in a direct financial loss. Put simply; they gain trust, trick staff and have them transfer large amounts of money out of the business. 

In December 2017, it was reported that at least two Queensland law firms fell victim to such attacks prompting a warning from the Queensland Law Society. There’s no limit to the creativity of Social Engineering Fraud scams and these particular examples focused on obtaining access to e-mail accounts with the end game of hijacking money held in trust or for settlements.

By impersonating law firms, vendors or purchasers, cyber criminals intervene with updated deposit instructions from a credible source, leaving all the legitimate parties to the transaction to work out what happened to the funds after they have been stolen. The timing is key, as the settlement date approaches, rushed for time, excited about the purchase or anxious about the sale, all parties are heavily invested in the process, providing fertile ground for misdirection.

Reports to the Australian Cybercrime Online Reporting Network (ACORN) indicated that Business Email Compromise (BEC) losses grew by over 250% between 2016 and 2017  and reported losses represent only a fraction of total losses in Australia. 

More recently, in Telstra's 2018 Security Report research showed that of organisations which have had business interrupted by a security breach in last 12 months, 25% experience phishing attacks monthly.

Telstra Security Report 2018, P29

HOW TO WIN PASSWORDS AND INFLUENCE PEOPLE

In 2015, Ana Ferreira, Lynne Coventry, Lynne & Gabriele Lenzini presented a research paper 'Principles of Persuasion in Social Engineering and Their Use in Phishing ’ that proposed five  principles of Social Engineering:

  1. Authority - People are conditioned to trust and not question authority. The interesting thing about authority is that it can change with circumstances. In the case of the law firms mentioned, a client giving instruction on settlement proceeds for a transaction may temporarily have an increased level of perceived authority.
  2.  Social Proof - People let their guard down when the majority of people seem to be behaving the same way. There is a perceived decrease in risk of being solely responsible.
  3. Liking, Similarity & Deception - People prefer to abide by people who they think they like or are attracted to.
  4. Commitment, Reciprocation & Consistency - People feel more confident in their actions when they commit to them publicly and are keen to be seen to "do what they say". If you owe a favour you want to repay it.
  5. Distraction - We're often focused on a reward or an achievement at the expense of other things that might be happening. If there is a sense of urgency, or that dreaded fear of missing out or FOMO, the distraction can be amplified.

With business e-mail compromise attacks in particular, these principles are often strung together in pairs or triplets to increase effectiveness.

The Australian Cyber Security Centre provided a censored local case study in their 2017 Threat Report.

"In one instance, a cybercrime adversary posed as a Chief Executive Officer (CEO) and Chief Operating Officer (COO) (Authority) of a large business and obtained fraudulent payments of over US$500,000. The adversary sent a spoofed email, purporting to be from the CEO (who was travelling at the time), requesting a large payment from the financial controller. A second email, purporting to be from the COO, was then sent to the financial controller (Commitment, Reciprocation & Consistency). This email contained a false email trail approving the CEO’s request for payment (Distraction).

Not realising the request was fraudulent, the business made two payments to the cybercriminal, one for over US$200,000 and one for almost US$300,000. Both payments were made to bank accounts in overseas jurisdictions"

It is easier said than done, particularly when the boss sends instructions from the plane to Abu Dhabi (do you know Etihad now has Wi-Fi on board!) or a supplier sends through an accounting change just before you process this month's invoice payments. But once you understand the principles it's a matter of addressing them through internal business processes to minimise the risk.

These tips will help:

  1. Minimise the number of people in your business who control bank transfers.
  2. Implement a two-person authorisation process for ALL payment requests.
  3. All employees, Managers and Directors requesting a transfer must verbally confirm their request before finalising the transfer. Ie – call them (Get verbal confirmation from a person within your organisation before you pay any invoices from a new supplier.)
  4. When a supplier advises that their bank account details have changed, seek verbal confirmation that the request is genuine from a phone number you already hold on file.
  5. Beware red flags; such as emails sent from executives who are known to be out on business trips, or any urgent or immediate payment requests.
  6. Talk to your IT security adviser, who may be able to recommend authentication technology solutions to prevent communication with imposters.
  7. Most importantly, when in doubt - don’t send it out. Wait until you are 100% certain that it’s not fraud before transferring any money.

Most SME's aren't insured for Social Engineering Fraud loss. At Edmund, we realise businesses are seeking this insurance protection, so we provide it as an optional cover. Australian SME’s can buy Cyber Insurance and Social Engineering Fraud Loss from Edmund in minutes.

Understand the fastest growing fraud threat to Australian business by watching this video:

 

Watch Part 2: How to Avoid Social Engineering Fraud