In the past few years, two types of social engineering attacks (CEO Fraud and Payment Diversion) have been causing concerns among corporations, banking and governmental agencies. In August 2016, Leoni AG, one of the world’s leading wire and cable manufacturers was swindled to the tune of EU40m by a social engineer using nothing but email, the company’s stock dropped by almost 7%.
How could this have happened, an investigation spanning a two weeks period by law enforcement revealed that a young woman working in the finance department of Leoni’s factory in Bristrita, Romania, received an email, seemingly from senior German executives. She believed the email to be a genuine request for a transfer EU40m out of the company’s bank account. Accordingly to unconfirmed reports, the money was switched into accounts in Czech Republic.
This case of CEO fraud, also known as fake president fraud, reveals the problem and challenges facing companies when it comes to social engineering attack. Unlike conventional hacking attacks, criminals don’t rely upon malicious software to infect computer networks. This makes conventional protection, like firewalls and anti-virus software ineffective. The social engineer’s target is the human operating system. In order to proffer effective solution to the menace of this, one must take a closer look at their methods.
At the heart of every social engineering attach lies the exploitation of positive human properties, like kindness and trust to bypass the human firewall. Employees are tricked into doing what the attacker asked of them either by conscious or subconscious manipulation. They set up a successful play, as the main phase of an attack is called, in the case of CEO fraud, social engineers count on the willingness of people to comply when a request comes from figure of authority.
CEO fraud: likely scenario; an employee in the finance department of a company receives a phone call from a certain man introducing himself as a lawyer or perhaps the company secretary and is asking about a certain transfer on behalf of the CEO. The employee replies that he was not aware of any transfer and decided to stay action for the time being pending confirmation. Later he receives an email, supposedly written by the CEO himself; it informs the employee that a certain amount of funds needed to be to be used for a strategic acquisition have to be transferred and that he was specifically chosen to do it based on his past performance and discretion and that wire transfer instruction would be given to him by the lawyer. Over the coming days, the employee’s correspondence with the lawyer and the CEO intensifies. He is told not to talk to anyone one about the acquisition and was made to sign a non-disclosure document and finally receives the transfer instructions, a bank account and the sum required for transfer.
After the transfer, the communication suddenly ends. The employee doesn’t get any more emails or phone calls from either of the parties involved. At this moment, it might dawn on him that he was tricked, that he wasn’t actually communicating with the CEO, or even a real lawyer, in a panic, he decides to ignore the NDA (non-disclosure agreement) and talks to his supervisor. The money main while has been withdrawn by the attackers.as we see, an attack like this does not require does not require sophisticated technological savvy, but a deep understanding of the human psyche. Every successful social engineer does a great amount of research before starting an attack.
Payment diversion: Payment diversion frauds are a lot simpler, but just as efficient. Criminals do not pose as head of companies, but as contractors awaiting payment by the target company. They send emails to the responsible employees, letting them know that there is a new bank account to which all future payments have to be transferred. This interaction is impersonal and doesn’t require any knowledge of human psychology and behavior.
Prevention strategies: information on security awareness is the most effective way to do this. Employees have to know how cybercriminals work, how they manipulate their victims and how to develop a strong and skeptical attitude towards unusual requests. They need to understand that they are responsible for safety of confidential information and for their behavior inside the digital sphere, not the IT department, not firewalls or antivirus software.
Preventive action becomes paramount, a thorough analysis and improved payment processes and the handling in changes in bank account details cannot be over emphasized. There is need for adequate and sustained training at all levels of responsibilities in the organization at all times.