“How did I fall for that?”
- The catch cry of almost everyone who’s fallen victim to cybercrime, in hindsight
In Australia alone in 2017, there were 50,635 reported email-based scam attacks totalling $17.4 million in losses, according to the ACCC. These are just the reported numbers - it may indeed be a far greater figure. Reported online cybercrimes overall racked up a cool $230 million.
While you always think that those sort of things “only happen to retired 80 yr olds, I’m far too savvy for that,” that isn’t necessarily true. These same figures show that while older victims lose more overall, the conversion rate for handing over funds skews upwards as the demographics get younger.
How are we getting fooled? Much of the time, it’s via social engineering.
Cybercrime has its roots in anthropology as much as it does in technology
Much like “fake news”, cybercrime is tricking people into believing something that simply isn’t true. Lies and manipulation to gain trust and obscure true intent.
- An email about a tax return, seemingly from the tax office, where you’re lead to a bogus website to fill in your financial details and claim your owed rebate (aka brand jacking)
- Serious catfishing, when you enter into a “relationship” with someone via a dating website or social media, only to have to help them out with money when they’re in a jam all the time - and yet you’ve never actually met in person
- False business invoices purportedly from a service you already use such as Xero accounting software
Cybercriminals target at the individual level, or at the business level, all drawing on how humans interact on a daily basis. I’ve been shown time and again that the more mundane and believable the approach, the more likely it is to succeed.
What is social engineering?
“Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques.” (via CSO online)
If you’ve ever entered an Australian Defence site, you’ll be aware that you need to show ID, already be enrolled to visit in their systems, and have an escort with you - to ensure their buildings, systems, and data stay out of the wrong hands.
However, in many workplaces, if you studied the cleaners walking in and out of the building, then managed to rustle up a uniform - you could just stroll on in at the right time without anyone even paying you so much as a second glance.
While business owners I chat with are often horrified when they discover how easy building access can be, when you think about data security, you should be thinking just as critically.
Who’s putting the procedures in place in your online gateways to make sure the faux cleaners aren’t waltzing through the door to gain access to your data?
Social engineering techniques leveraged by cybercriminals
I’ve seen the gamut of social engineering techniques through the course of my career. However, most attacks fall into a few distinct categories.
Whereby a cybercriminal poses as a person with authority. You can read my take about John Kahlbetzer who was spear-phished to the tune of a million dollars via a sophisticated scam targeting his assistant.
What’s in that ZIP file of photos? You probably don’t want to know. Play that video? It might be others trying to use your machine to mine cryptocurrency.
Imagine you receive a Facebook message from a friend, saying someone has cloned their account, requesting all their friends to be friends again. The message might ask you to forward to everyone. While apparently it’s an innocuous hoax, you should not act and do something like forward a random message to all your friends out of fear.
Reverse social engineering
This one is a tricky one: first there is a sabotage, then advertising services to help “fix” the sabotage, then the wonderful person comes in to help you. At a cost, of course.
Targeted messaging via information gleaned from social media
Have you seen Ocean’s 8? In the movie, the man in charge of security at the MET is stalked on social media by Rihanna. She learns he’s absolutely mad about Wheaton Terriers and sends through an email with a link to a site about - you guessed it - Wheaton Terriers. Once clicked she downloads all the necessary files from his system…
You can read more social engineering techniques over at the MalwareBytes Lab blog.
Guarding against social engineering cyber attacks
I recommend businesses use Trusted Labs Social-Engineer Toolkit to help bulletproof themselves against these sort of attacks.
You need to create a cybersecurity culture in your workplace to make people more aware of the threats posed to them - and how fraudsters can slip though. Maintaining up-to-date cybersecurity awareness should be a key initiative.
And, of course, adding tools like MailGuard to help bolster your defence against attacks.
Get the facts
Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.
Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets. If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.
I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
You can download my e-book for free, here.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
... ... ...
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter.
I’d really value your input and comments so please join the conversation.