The Dangers of Social Engineering: What Just One Email Can Do
It’s tough to think about a time when we didn’t have email to rely on for speedy communications inside and outside our businesses. How could we live without it now? It’s an essential part of doing timely, efficient work.
But sometimes your best friend can turn out to be your biggest foe. In one company’s case, a few simple emails were all it took for one organization to lose hundreds of thousands of dollars.
A real-life story of business email compromise
How did a business run by smart, competent people fall prey to a scam? It’s not as hard as you think. It’s a lesson in cybersecurity and a type of phishing called social engineering.
The organization, whose name we’re protecting, received an email from their marketing firm noting an updated account number for deposit on an invoice. It didn’t seem out of the ordinary and clearly came from an individual the company had worked with in the past. They made the note and wired the $75,000 payment, only to find out later that the money had gone to hackers instead.
They later found out that the hackers had accessed the legitimate email account of a real person at the marketing firm and simply sent an email impersonating them. The hackers even mimicked the writing style of the real employee to make it more convincing.
Unfortunately, the hackers weren’t done with this company yet. In a separate incident shortly after, they impersonated an accounts payable employee at the organization’s construction company. This time, instead of getting access to an employee’s email account directly, they created a domain ending in .net instead of the construction company’s .com domain.
Using the construction company’s staff listing on their About website page, they created fake email addresses for two real employees at the construction company. The difference in the domain name went overlooked, and the hackers struck up a conversation about payment history, trying to legitimize the discussion. After a long email thread, the hackers sent an “invoice” for $200,000, and the organization sent the funds.
How Cenetric helped
The company’s leaders were understandably in a panic after discovering that the payments had been made to a fraudulent source, and they needed outside help because their IT team didn’t specialize in this issue. While they weren’t a regular Cenetric client at the time, the organization asked Cenetric experts to help them find out how far the fraud had gone and where it had started.
Using auditing software to fully review the entire network and all the organization’s systems, Alongside work being done by the organization’s insurance company, Cenetric identified that no part of their system had been penetrated, altered or damaged beyond the emails. They discovered how the hackers had used the BEC tactic to impersonate vendor employees.
While the situation wasn’t a pleasant one, the company was able to rest easy that there hadn’t been a full-scale data breach. Cenetric went on to perform a complete analysis of the company’s entire network for vulnerabilities, identifying dozens of points to strengthen. The company is now a long-term Cenetric client.
It’s easy to fall prey to social engineering scams
Before you think to yourself, “Well, I’d never fall for one of those scams!”, think again. While “princes” from far-off lands who desperately need your bank account number are easy to spot these days, would you say the same about someone from a firm you’d already done work with and sent money to? Our fast-paced, jam-packed work lives make it easy to act without question — which is exactly what bad actors are counting on.
These types of cyber thefts are a type of social engineering called pretexting. This practice involves creating a story (or pretext) as to why a scammer needs sensitive information. Experts have determined that pretexting attacks always feature two key elements: a plausible situation and a character you’d be likely to trust.
In the situation above, the hackers relied on the victims’ familiarity with their characters — trusted vendors — to gain entry. In this instance, they supplied their own banking information to receive a fraudulent deposit, but pretexting is often used to talk the victim out of their own information as well, such as company passwords, financial data or other company assets.
One of the most common methods of pretexting is through email. Because it’s text-based, email makes it easy to impersonate someone. Particularly in a business setting, people are apt to trust someone they feel they’re familiar with through working relationships.
This is called business email compromise (BEC), and it’s a growing threat to every organization. Verizon’s 2023 Data Breach Investigations Report revealed that BEC attacks have almost doubled over the last two years.
It’s not uncommon, but it’s extremely damaging to your business, so it’s best to take every step you can to prevent it — and be ready to recover if it does occur.
Prevent social engineering in your own business
The organization discussed above brought us in to remediate the situation after the incidents occurred, and it’s important to have a plan in place if business email compromise — or any other form of cyberattack — comes your way.
Invest in phishing training for your whole team
Everyone in your organization — yes, executives too — is vulnerable to this type of attack. Ensure each employee receives regular training on how to spot BEC or other social engineering attempts and what to do if they come across one. Attacks become sneakier every day and it’s important to keep your team fresh and up-to-date on the latest methods being used.
Establish best practices for sending funds or other sensitive data
The story above could have had a different ending if the company had had tighter procedures in place. For instance, establish a procedure for wiring money or cutting checks over a certain dollar amount that includes two approvals from separate people.
While one employee might be in a rush, a second team member is likely to see the situation in a different light and take steps to verify a fraudulent request. Be sure to think beyond finances and implement processes to verify requests for passwords, datasets and certain types of purchases.
Keep tabs on your vendors
Mistakes — and wrongdoing — happen, so it’s best to make sure you’re protected from threats to your business through your vendor relationships. Implement a vendor risk management program that outlines your company’s security needs and the requirements any vendors you work with must meet to keep your company safe.
Requirements to consider for your vendors include:
- Proven compliance with applicable industry regulations
- Written documentation of their own cybersecurity best practices
- A comprehensive list of the cybersecurity measures and technology they have in place
- Disclosure of any recent breaches and their scope and impact
- Formal internal risk assessment procedures
- Their disaster recovery plan
Put the right tools in place
In an incident like our example, it’s important to be able to quickly assess the damage done. The auditing software we used is widely available to help you determine whether hackers gained access to any of your systems, data or assets.
You can proactively protect your business with other solutions like multi-factor authentication, anti-phishing software, and an endpoint detection and response system.
If you don’t have the IT resources on your team to implement the cybersecurity tools and systems you need, Cenetric can help.
Concerned about your own cybersecurity?
If this story sent a little tingle down your spine, don’t worry — you’re not alone. Cybersecurity is a big issue and attacks can happen to any company or individual. From training to implementation, our experts can help you examine the state of your cybersecurity and find areas that need more protection.
Whether you’re in Kansas City or beyond, we have the experience to get — and keep — you covered when it comes to cybersecurity. Let’s talk about your needs.