Social Engineering Is A Mind Game: Is Your CEO at Risk?

A mind-game is difficult to identify, so is a well-crafted social engineering scam. Both are forms of psychological manipulation; neither is welcome in your business.

Today’s socially engineered phishing attacks are so sophisticated that even your most knowledgeable employees’ may be convinced to open a virtual (or actual) door and let one slip through to wreak havoc on your business.

Even your senior management team may fooled by these elaborate cons (think intellectual spy movie). In many cases however, the senior management team, often the CEO, is the target.

The more valuable the target, the bigger the prize.

Cybercriminal mind games are played primarily through email phishing attempts.

CEO targeted email scams are a serious issue with businesses across North America reporting losses of over 215 million USD. (Fortune magazine 2014 figures).

Cybercriminal attacks have many names but essentially they are all forms of “phishing,” or “spoofing.” Whatever the name, the game is about a scammer getting as much critical inside information as possible.

The best phishing is during tax season.

Phishing scams prevail during tax season. Canada’s CRA and the USA’s IRS issued warnings in February 2017 alerting individuals, organizations, institutions, and non-profits about impending phishing attacks.

Think you won’t get hooked?

It’s important to understand that because phishing attacks appeal to our inherently trusting, curious human nature, they have an unprecedented level of success. Even the savviest fraud spotters among us get caught.

Anyone can be tricked.

Former Wired journalist Mat Honan fell victim to clever social engineering tactics that resulted in hackers wiping clean his laptop and phone, deleting his email account and taking over his Twitter account to post racial and homophobic messages. You can read the full, harrowing story here.

The cost of CEO fraud to business is immense.

The impact of CEO fraud is significant. Technology company Ubiquiti Networks,for example, was swindled out of almost $47 million. Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on 7,000+ U.S. companies that have been victimized—with total dollar losses exceeding $740 million. And that doesn’t include victims outside the U.S., or corporate losses that went unreported.

Think this is not a problem in Canada? Think again. The Canadian Anti-Fraud Centre reported that in 2016 alone, online scams accounted for more than 20,000 complaints and more than $40 million in losses by Canadians.

Recently one of our clients fell for a scam and transferred over $80,000.00 to a bogus account in the US.

The CEO spoof: how it works.

The scam is relatively straightforward and to succeed, requires that the cyber criminals acquire critical inside information including:

: The company’s chain of command.

: The names and email addresses of employees who have the authority to initiate payments and money transfers.

: The daily schedule, including planned absences, of the target CEO.

: A CEO’s individual communication style. Scammers often email their intended target to learn the target’s unique style. Does the email signature have a particular font? Colour? Logo? Is the salutation and paragraph construction consistent?

: Additional background information from the targets LinkedIn, Facebook, or Twitter accounts.

With this information, a hacker can create an email account that looks authentic enough to trick a busy person into opening that mail. If the email has been designed to imitate the CEO or financial director’s style the employee might go further and open an attachment.

If the cyber criminal’s intent is to attack a system, a pdf infected with malware will then begin its inexorable journey through the company data files.

In a CEO targeted attack, however, the fake email is designed to contact anyone authorized to issue a money transfer. The message will be an urgent request to wire money to a particular financial institution. Since the email address looks legitimate, the employee complies with what appears to be a senior employee’s request.

Not only can hackers use the scam to target a company’s bank account, but they could also use it to obtain sensitive information including bank account numbers, private customer information, and confidential documents.

What’s your CEO’s best defense?

In this game, knowledge is power. To protect yourself, you have to out-think the bad guys. Here’s how:

Verify any payment requests that are unexpected or unusual either over the phone or (preferably) in person. Don’t use the contact details provided in the potentially fraudulent email.
Establish a process for requesting and authorizing payments that require two points of contact. (Two point authentication system)
Devise a protocol for all personnel to follow should they receive an unusual or suspicious email asking them to approve a money transfer.
Ensure that all members of your team know how to identify and manage cyber security threats. Train and test them.
Beware of sharing personal details on social media channels. Cyber criminals glean information from your Twitter, LinkedIn, Instagram and other platforms. Wherever possible, keep accounts private and exercise any and all privacy options.

Understand that there’s more than one game.

According to Social Engineer, phishing accounts for 77% of all socially based attacks, but businesses targeted in vishing attacks lost $43,000 per account, and individuals targeted through impersonation attacks lost $4,200 on average.

The following are some common social engineering ploys:

Vishing: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers.
Phishing: Emails that are purporting to be from reputable companies designed to induce people to disclose personal information, such as passwords and credit card numbers.
Whale Phishing: (also known as spear phishing) emails ostensibly from a known or trusted sender. The content will be crafted to target a top manager like the CEO or even just a supervisor that might have lots of authority in the company or who might have credentials to valuable accounts.
Smishing: fraudulent messages sent over SMS (text messaging) rather than email.
Impersonation: used to gain access to a system or network to commit fraud, industrial espionage or identity theft. Impersonation includes individuals who are physically on site pretending to be, for example, the company IT service.

Stay sharp. Phishing is constantly evolving.

Learn how socially engineered attacks work, and why they are so frustratingly effective.

Stay up-to-date on the most recent ploys.
Expect that you and your business will be a target. If you have not already received a suspicious email, you will. If you catch it, excellent, but there will be more. Guaranteed.
Train everyone in your company. Then train them again. Test, and repeat.

Phishing is constantly evolving to adopt new and more sophisticated forms and techniques.
If you have an emergency, a question, need advice, or are thinking about making a technology change, contact us at Netcetera.