Author: Tammy Bangs, TBangs@jackhenry.com
Phishing and social engineering accounted for 15 percent of cyber-crime costs incurred by U.S. companies in 2014, according to Statista.com. Furthermore, 44% of U.S. companies responding to a recent survey stated that they were targets of social engineering or phishing schemes (Statista).
Social engineering, phishing and vishing are everywhere you look these days. Fake IRS telephone scammers, recent large financial institution (FI) breaches via email scams, penetration testing failures, executive level breaches, you name it – it has happened.
Have you been lucky enough to receive a telephone call from the ‘Department of the IRS’ this year? No? I actually received two. Being the risk mitigation geek that I am, I couldn’t resist baiting the fraudster just a bit, asking as many questions as I could muster, keeping him on the line with me for as long as possible. It was a fascinating glimpse into the not-so-sexy world of the vishing scheme. They were probably armed with little more than a search engine and a telephone. They didn’t even know enough about the Internal Revenue Service to use proper nomenclature.
In my travels hosting risk mitigation seminars over the past 18 months, I have been grateful to hear from numerous bankers about penetration testing results they’ve experienced in their own FIs. A common scenario is as follows:
A third party firm is hired to see what they can obtain via external phishing testing. An email is sent to the entire active directory in the FI. The email appears to be from the IT officer, but is actually (upon further scrutiny) from an external source, but it looks good - quasi-legitimate. The email states that if they don’t click the link provided, and give their network credentials and passwords, then the required system maintenance due to be performed tonight cannot be completed and their managers will be notified. Lots of the bankers – from tellers to C-Level - click the link and provide their credentials.
Initially the numbers I saw were astounding. But, having spoken to bankers from coast to coast, I can confidently state that there are employees at every level inside of your FI who would click the link, TODAY.
So I started wondering: Why? Why would completely reasonable, intelligent, responsible people in this day and age with so much on the line willingly submit to a fraudster? It’s because most social engineering, phishing, and vishing schemes are built on three elements that suspend common sense:
If Bob’s Accounting Firm down the street was on the phone, most people wouldn’t be very likely to cough up their SSN and DOB. But if it’s the IRS, it’s a different story. And if the email mentioned above wasn’t purportedly from the IT officer of the FI, the recipient would not have been nearly as likely to click the link and divulge their network credentials.
A critical element in establishing the validity of the request is the pretext or backstory of the requester. Is it a government agency? Is this a law enforcement officer? Is this a vendor? Is it an employee of our FI? One of the simplest and most effective ways to stop a social engineering attack before it’s off the ground is to simply validate the credentials of the person who made the phone call or sent the email. How is this accomplished? Through a separate and independent channel. Either by calling the agency (IRS or otherwise) back and asking for the purported agent, or via a separate (non-reply) initiated email.
If there was no urgency in the request by the scammer, there is no reason to act now. The fraudster wants you to act before your brain has a chance to consider what the down side of that action might be. How many times have you spoken to an employee or customer after they’ve already opened the email and clicked the link? “Um … I think I maybe shouldn’t have done this.” “I may be infected with a virus.” “Something doesn’t look right!” It’s a common theme. If that fraudster gets your employee or customer to act prior to considering implications of that action, their rates of success go way up. According to behavioral psychologists, urgent situations cause people to suspend deliberate thought and act quickly (Psychology Article).
Consequence is the final leg in our three legged social engineering stool. If there is no implied or explicit consequence, there can be no true urgency, and therefore no reason to act. If the IRS isn’t threatening to levy your property, place you under arrest or increase the amount you owe them, why would you agree to wire money immediately or provide information which could later be used to steal your identity? If that IT officer wasn’t performing system maintenance tonight and your manager was not going to be notified for your non-compliance, why on earth would you agree to give your network credentials to someone – ANYONE? The elements of consequence and urgency go hand in hand in making people who are rule-following, good-citizens easy pickings for criminals. Unfortunately, this element is one that makes older-generations even more vulnerable to this type of attack. Taking the person on the other end of the phone at ‘face value’, and believing them when they tell you that you are in trouble with the IRS is practically a given, unless you can warn your senior citizen’s ahead of time. Before the wire is sent. Before the social security number is given out.
Identifying these three elements is just one part of the strategy. Your FI can take it from here. Adopt a review of these components as a part of the training you provide your employees and customers on combating social engineering threats. Scrutiny is not rude, it’s part of doing business today. Challenging credentials, validating requests, and critical thinking is as much a part of protecting your assets as locking the front door of the bank each evening. It’s a necessary part of combating the tactics adopted by these fraudsters. One additional parting thought – explicitly spell it out in your employment policy as an actionable item. If an employee gives their network credentials to anyone, this is an offense that can result in termination. It is a tough-love approach, but one that your security can depend upon. Helping employees understand that there are consequences associated with actions is a critical deterrent to the click-now, think-later approach.