The Oldest Social Engineering Attack in the Book -
An executive, an employee, and a grandma walk into a bar. The man outside the door says "Cover charge is $5."
Once they pay and head in, the bartender says "Cover charge is $5."
The executive says, "But, we already paid the doorman!"
The bartender says, "What doorman?"
3 Attacks in 7 Days
Social engineering attacks aren't new - and this one's a classic. However, the attacks wreaking havoc these days are much more malicious, and the fallout more damaging.
I spend most of my day meeting with businesses and people to learn about their challenges with cybersecurity - specifically the role that people play in security.
The purpose of this article is to share three attacks that we've seen in the last week, why they were successful, and how one can mitigate the risk.
I recently sat down with the CIO of a healthcare system to talk about recent challenges in their organization. The CIO shared one of the attacks in their organization in which the CFO received an email from the CEO requesting a $10,000 bank transfer be made while she was overseas on a business trip.
The request wasn't out of the ordinary - the CEO often requests bank transfers be made and the dollar value of the request was reasonable.
In a similar case, the head pastor at a church sent an email to a finance manager in the church asking for a bank transfer of a few thousands dollars for a family in need.
Again - the request wasn't out of the ordinary - the church often donates money to those in the community in need, and the dollar value was in line with past donations. These are called business email compromise, and occur all too often.
One of these attacks were successful, and one was was stopped. The church was able to stop the attack on their organization because they had a system of checks and balances. Even though the request was normal, the finance manager had to call the pastor for additional information and confirmation - thus successfully averting the attack.
Another attack happened to a small franchisee in the clothing industry. The husband/wife business owners franchise two stores - and they stay local in the community.
One evening they had a young employee closing the store by herself when she recevied a phone call. It went something like this -
"Hi, this is John with the FBI. Your owner, XXX, has committed fraud and laundered money. We are investigating her and need your help. Do not tell her, or you'll be convicted as well.
We need you to submit a payment of $1,300 of Apple iTune gift cards tonight."
...if you're thinking..."What? There's no way someone would fall for that."
You're wrong. The employee took money from the drawer, purchased the gift cards, provided the barcodes...and then thought something might be up, and let the business owner know.
There are so many red flags even in this simplified version of the story - 1) why would the FBI call on the phone? 2) why would they require payment 3) why would they require payment via itunes gift card 4) why would that need done today...and more.
The telephone is a great tool for hackers because it allows the bad guy to make a personal connection with the person on the other end, create a sense of urgency, and read their reactions. That can't be done with a phishing email, so it makes this type of attack even more effective.
You have to keep that in mind and put yourself in the shoes of the young employee to understand how this could happen. The young person received a call from the FBI - that's enough to make anyone nervous. When you pass by a regular police officer going the speed limit you tend to tighten up regardless of whether you're doing anything wrong, so the employee would be on edge right away.
When the fake agent identifies as FBI and threatens the employee it's no surprise to me that she makes irrational decisions. She was too scared to question the agent, too scared to question the situation, and too scared to question the strange request.
It wasn't until after money was lost that she calmed down and realized something wasn't right.
We heard this story twice in the last week.
In the first, the Grandma receives a call from a frantic girl, identifying as her neice. The Grandma asks which neice, and the caller says, 'The pretty one - who do you think?'
The grandma responded, 'Julie.'
'Yes, it's Julie. I was in a friends car and when we were pulled over they found drugs in the car. I had no idea they were there. I need $500 for bail - can you help?'
What would your grandma do?
In the second story, the grandma received a call from someone identified as a friend of her niece in the hospital. The niece had been in a bad accident, and couldn't talk. She needed $3,000 transferred immediately for surgery.
The good news is that both grandma's were on the ball. They were suspicious and concerned, so offered to drive to meet them and pay. This was not the goal for the caller, so the risk was averted.
This happened twice in a week in our local area - so the first thing we did was call our family and friends, and post the story on social media to raise awareness.
Just like it's important for employees to be aware of cyber risks - it's important to do the same with your family, especially older generations that are less computer savvy. Have a conversation with them about the things that are happening, and let them know they should be suscipicious of anyone calling and asking for money in an emergency situation.
The Executive, The Employee, and The Grandma are Just People
When you first heard that I'd describe attacks against an executive, an employee, and a grandma you'd probably think that each attack would be different, and require varying levels of technical skills.
Surprisingly, each attack is similar and none of these required much 'skill' from the hacker - each took advantage of basic human behavior and response.
The best way to prevent 'soft attacks' like these is to raise awareness from your board all the way down to your minimum wage employees, and even your family.
Before you go...
Wuvavi is an employee cybersecurity awareness platform. Through innovative training, simulated phishing, and the right analytics, Wuvavi makes every employee in your organization an active participant in cybersecurity.
You can sign up for a 14 Day Free Trial at https://wuvavi.com/14-day-free-trial/.