After hardening my corporate environment and improving our device management as CISO with previous organizations, I noticed that the would-be fraudsters quickly evolved their attack methods in response.
Instead of sending emails to the corporate email addresses, which were protected with multiple security solutions, the fraudsters started doing their homework using social media sites like LinkedIn to capture names, roles, and photos to build dossiers on individual users.
They would then start to engage my employees through social media messaging apps like WeChat, Facebook Messenger, WhatsApp, and Signal. The fraudsters would set up an account under the name of senior managers or executives from my company. They used the proper name. They even used a photo from LinkedIn or elsewhere on the internet. They became very effective at becoming the person they were imitating.
After creating the social accounts, they would use them to reach out to unsuspecting employees. The employees saw the name, saw the photo, and immediately assumed they were chatting with the real deal. The phony account creator would then ask them to make changes or process requests, usually saying they’d been locked out of their corporate account or that they were looking at a merger and acquisition (M&A) and didn't want to put the request into the corporate system as a pretext for instigating the request from a personal account. Next, they would ask for a PO to be paid or for a bank account to be changed.
When done legitimately, these requests typically followed standardized processes to prevent exactly these types of scams. Yet I saw again and again how powerful these fake identities were in causing my employees to forget these processes. They genuinely wanted to help, and truly believed that’s what they were doing.
We had a few of these reported over the course of a week. This led to us crafting specific awareness training – a special program for high-impact teams including finance, HR, treasury, and others. We also adapted our annual awareness training to reflect this change in tactics. We added examples of these types of attacks to our internal newsletters and communicated to our entire organization.
Attackers will learn how to get to our end users. They have every incentive to do so… if they don't get to our employees then they don't make money. They are financially motivated. They will continue to adapt to find a way to be successful.
How do we protect our organizations?
- Conduct security awareness training – Make sure your organization is trained. They need to be aware of these types of attacks/fraud attempts. If they are aware then they can detect, report, or simply ignore them. This will help protect the business AND it will help protect our employees in their personal lives as they are then less likely to fall for these types of attacks against their personal accounts.
- Update apps and mobile devices – All software has flaws. When there is a patch available, it’s always best to update it. Even if there isn't a listed security fix, a lot of times there are things being updated or fixed that are not part of the update notes. This should be conveyed to all employees.
- Encourage the use of privacy settings – Most applications have privacy settings. Warn employees against leaving their accounts, profiles, and posts up for just anyone to see. Apply privacy to prevent unsanctioned eyes from seeing your content. Don't allow pictures and personal information to be downloaded without your consent. This won't be available on every platform, but it’s always smart to set privacy settings to see what options are available.
- Focus on credentials – Encourage employees to use strong credentials when signing up for accounts. The last thing you want is for someone to compromise your account and then use it to dupe your contacts. Mandate strong passwords and enable two-factor authentication where available or, better yet, multifactor authentication.
- Think before you click – Explain the importance of being mindful of the things you click on. Not every link is legitimate. Teach users to consider the context surrounding the link being shared before clicking on it. Where possible, tap on the link and see if the link is going to the domain you'd expect. When in doubt, don't follow odd requests.
- Ignore messages – Set an expectation about not responding to strange requests. If it's a stranger, ignore it. If it claims to be from a known person, verify. Reach out via another method, like a corporate IM solution like Slack or Teams, or verify using a cell number. Remember, often employees want to help or want to avoid angering a superior, so make sure they know that will not be the case.
In all my interactions with executives and senior business leaders, I have never had one complain when I reached out to verify their identity or to confirm one of their requests. So don’t be afraid to do it. It’s easier to confirm ahead of time than it is to explain why not following a predetermined process led to the company losing money.
Cybercriminals and scammers are good at their jobs. (We wouldn’t have ours if they weren’t.) They are social engineering experts. They know how to appeal to emotions and get people to act in the way they want. But by following the steps outlined above, one can reduce the risk of falling victim to their requests.
Let's stay safe out there!
What to read next
Phishing is on the rise: What CISOs should know
Understanding phishing today: Bad actors 'dialed in' on sophisticated attacks [podcast]