Plugging the Social Engineering Hole in Your Defenses

By: (Security +)

Publication: Western Independent Banker , September 2016

Western Banker September 2016Skimmers, tastic thief, sniffers, Internet of Things… you may or may not know what these things are and how they pertain to attacks. A simple online search for hacking equipment returns a variety of results for inventions made for the sole purpose of infiltrating your corporate network. Most people envision a hacker as a guy in his mom’s basement building sophisticated hardware. But it’s really much simpler. The reality is… it’s very easy to acquire usernames and passwords without a substantial monetary investment. Most of the successful attacks you read about today began with very humble beginnings: just a phone call or email. 

Financial institutions are in the customer service business.  As such, managers want to hire employees who are friendly and engaging with their customers.  Unfortunately, this can be a double-edged sword.  It is probably safe to say that most employees will not give their usernames and passwords over the phone; however, it may be surprising to learn of the numbers of people who will go to a website and type in their credentials.  It is a simple ruse. The bad actor will set up a website with image/logos taken from an institution’s website. The website will contain fields for a username and password.  The hacker will get friendly with the bank employee on the phone asking them to go to a website and enter their credentials to test a new banking site.  The employee will try entering their credentials and receive an error on the page.  The hacker will thank them for their time and explain there is more work to do on the site.  Behind the scenes, the site captured those credentials as they were submitted and now the hacker has system access.  It is a very simple scam that does not cost a lot of money.

Another successful hacking medium is email.  Phishing attacks continue to be on the rise.  Specific types of phishing such as spear phishing (phishing email targeting a specific person) and whaling (phishing targeting the CEO or other upper level management) have found increased success as well.  When phishing first surfaced, spoofed emails were crude in appearance and often easily identifiable.  The skill and sophistication used to craft these emails have grown swiftly.  Now, with free tools and a little patience, a hacker can create an email that looks like it comes directly from the CEO.

The commonality across both of these types of attacks is people.  You can invest significant amounts of money into network tools and hardware to mitigate threats, but all it takes is one employee to bypass those safeguards by clicking on the wrong link or being too trusting to a “customer.”  There are some simple steps an institution can take to mitigate the risk these threats pose:

·         Training. Train all levels of employees to recognize the various threats that come through email and other social engineering mediums.

·         Testing.  Test your employees using available phishing tools and companies that offer social engineering testing.

·         More Training.  As testing reveals various weaknesses, evaluate responses and conduct more individualized training.

Although sometimes equipped with the latest gadgets in the movies, today’s hacker is hard to distinguish from any other person on the street.  Times may have been more simple when bank robbers wore masks so they were more easily identified. Even though they may be hard to detect, there are simple methods a financial institution can employ to significantly mitigate the risk.  Through training, testing and retraining, institutions stand a much greater chance of defeating today’s devious hacker.