According to the Danish philosopher Søren Kierkegaard, “There are two ways to be fooled: one is to believe what isn’t true; the other is to refuse to believe what is true.” What Kierkegaard is telling us is something about which every cybersecurity professional is painfully aware. Most cybersecurity issues occur because of phishing or social engineering, because people cannot distinguish what is true and what isn’t. It’s especially dangerous these days because it is the way most criminal hackers get into your systems with advanced persistent threats.
Any good cyber security defense must include continual training to ensure that employees do not fall for social engineering scams.
Famous 419 scam
A famous phishing scam is the Nigerian prince scam. It’s so common, it has its own code name, 419 scammers, because they deal with section 419 of the Nigerian criminal code dealing with fraud. They have their own song and a U.S. government email, 419.fcd@usss.treas.gov, which is used to report the fraud.
This scam has its roots in the late 19th century, when it was called the Spanish Prisoner scam. It’s based on the idea that if you make a large down payment to help someone who is having difficulties with (corrupt) authorities, they will reward you handsomely.
Of course, there is no reward; the scammers just take the money. New versions of this scam often involve beneficiaries of a will, bogus cashier’s checks, and donation solicitations. All involve unknown individuals offering a huge reward for either a payment or information. The payment is either a direct transfer by the victim or harvesting the victim’s information.
The best protection against these scams is skepticism. Why would someone contact an unknown person for help? Follow Kierkegaard’s advice: Don’t believe what isn’t true or ignore what is. Check the information before you believe it.
Conducting research can also help with another scam: the account verification scam. Here, the scammer sends an email with logos identical to a bank, a credit card, or perhaps an online store. The phishing email notifies the victim that there has been a problem with their account and gives them a URL to log in and fix the issue, but this URL leads to a website designed to harvest credentials and download malware. The best way to protect against this scam is to check the official website of the organization mentioned. The website should be protected by the “https” icon.
Account verification is similar to a BEC (business email compromise) attack. According to the FBI, “Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion.” In a BEC attack the perpetrator impersonates a company leader such as a CEO or CFO and orders a lower-level employee to wire money to a specific bank account.
These attacks are carefully orchestrated with weeks or months of surveillance. The information is collected to create a request for an immediate wire transfer, usually to a trusted vendor. The fake request is designed to fool the employee into believing that they are sending money to a familiar account, just as they’ve done in the past. The account number is engineered so it is almost exactly like the familiar account. The email is often timed to take advantage of a period when the decision maker is away from the office. Like the account verification scam, this one can be stopped by a two-step verification process. The employee should contact the company leader directly, preferably face to face or with a phone call, to be sure they actually did make the request. Such a meeting or phone call could have saved the central bank of Bangladesh and the Federal Reserve Bank of New York $61 million, which was lost in a similar deception.
Not all criminals have the resources or skill to create a BEC attack. One common method relies on a user’s ignorance of computer problems. The criminal hacker inserts a pop-up on the victim’s screen that claims there is a problem with the computer and includes an offer to fix it accompanied by a telephone number or a link. The objective is to get the victim to either pay money for the ‘fix’ or download malware. The easiest way to avoid this scam is simply to turn off the computer. If nothing permanent has been downloaded, a restart should get rid of the problem.
Certain government agencies such as the IRS and the FBI should be proud that their very name evokes sufficient fear to get people to make payments. This is the government imposter scam. It involves contact with the victim by email or telephone (vishing), and scammers are now using synthetic voicemail to increase the potential number of victims.
The scammers threaten jail or assets being frozen unless the victim immediately sends funds. They rely on the probability that the victim will be too frightened to wonder why a government agent, one “Sam Johnson”, has a heavy Russian or Indian accent. However, this scam is easy to avoid if the victim understands that the U.S. government never communicates collection by telephone, only by letter, and it never accepts payment in bitcoins.
The Family Emergency Scam is a variant of the Spanish Prisoner and tends to target the elderly. A relative of the victim is used as the bait to trick the victim into sending money. Like BEC, it can often be averted by a simple phone call to the family member who is supposedly in trouble. It’s more likely that grandson Jimmy is sleeping off a hangover in Cancun than being held for ransom by jihadists. Imposter scams have cost Americans a total of $328 million, and because they are simple to carry out, no doubt they will continue.
Another common scam is more difficult to catch. One method of checking a link in a suspicious email is to hover the mouse over the link. Often the URL in the stated link is much different from what you expect. This is called typosquatting or URL hijacking. Usually it is obvious because the scammer doesn’t bother to get a convincing domain name, but more sophisticated scammers create lookalike URLs by changing only one letter or number, e.g. https://www.amazon.com/ might become www.amazom.com. Checking the link becomes even more difficult if the criminal hacker uses letters from different languages, e.g. the URL for Amazon could become www.amazoń.com. If you use a keyboard in a different language, you can get letters that look similar to their Latin counterparts but are different. The objective of these scams is usually to harvest your credentials.
This list of scams certainly isn’t complete. Scams change with the season, the news, technologies, popular programs, or popular investments. Around Christmas, delivery scams are popular, with fake emails from UPS or FedEx. Cloud providers can be spoofed with scams that create links to shared files in Dropbox, Google Docs, or Office 365. And cryptocurrency scams involve everything from stealing from bitcoin wallets to installing bitcoin miners. Even new regulations such as the EU’s GDPR (General Data Protection Regulation) have spawned their own variety of social engineering.
The figure varies but estimates of successful cyber attacks being attributed to human error are as high as 90%. The best way to prevent them is to be sure that your employees won’t fall for the types of scams discussed in this blog. This can be achieved with continual training. At IT Governance USA, our focus is on using global best practice to prevent these attacks, and we offer numerous training videos and courses that should be a major component of any defense. Global best practice is really defined by the ISO 27001 framework. IT Governance USA has decades of implementing this managements system worldwide.
You may feel safe with your exceptionally proficient SIEM or your AI-inspired data-loss-prevention app, but the real problem might be that one of your employees clicks an unsafe link to watch a video of monkeys destroying an office. In fact, this happened: A White House employee clicked “Office Monkeys LOL Video.zip,” which gave Russian criminal hackers access to President Obama’s emails.
