Crime by manipulation

Consumers’ and businesses’ growing digital footprints are making us all more vulnerable to cyber attacks, says Stuart Fuller, director of communications at NetNames.

We are all far too clever to be duped by email scams, right? Those poorly written notes that appear in our inboxes on an almost daily basis promising us riches.

Although 99.99% of recipients put them into the recycling bin, all it takes is that 0.01% to respond and there’s the return on investment that makes it all worthwhile for the fraudsters.

Technology has made the job of casting a fraudster’s net far and wide significantly easier and cheaper, yet it is the rise in cases of fraud through more traditional methods that has been a major concern for the authorities.

The term ‘social engineering’ may sound as if it should be used when talking about medical research but its birth came directly from the growth of the digital age and today it represents the biggest single point of weakness in any organisation’s security.

Social engineers are digital or cyber criminals who use psychological manipulation to influence a person to take action that will ultimately deliver benefit for the fraudsters. In other words, digital confidence tricksters.

The fraudsters use snippets of personal information, gleaned from the digital footprint we leave online, to give the impression of credibility to build trust. With trust comes the open door that allows the cyber criminals to steal the family silver, and often much more.

In the last two years there has been a spike in this type of fraud, with reported losses in 2015 doubling to nearly $1 billion compared to 2014. It’s not just attempts to socially engineer victims using email that is a major problem for the authorities. There has also been a rise in attempts through text messages and phone calls, which underlines how freely our personal data is available to those who are determined to act in a malevolent way.

A French sting

The BBC reported on an interesting take on social engineering in early January, highlighting the fraud that had been inflicted on a French company which became the latest victim of what is dubbed “fraude au président” or “CEO fraud” . The company, established for nearly 75 years, lost around €100,000 ($108,000), although it could have been a lot worse.

The fraudsters used publicly available corporate data gleaned from the internet to create very authentic looking emails, sent to the firm’s accountant, instructing it to pay money to a series of international banks in relation to the hush-hush acquisition of a new company.

Whether the fraudsters were also able to find out that the company’s chief executive was out of the office using social media as well is not known, but they “pre-warned” the accountant by phone claiming to be the lawyer involved in the deal that the email would arrive with the instructions they should secretly follow.

The company is by no means the only victim. According to the BBC article, French businesses have lost an estimated €465 million through similar frauds, while in the US the number is more like $700 million, although the real number could be much higher as some firms will not have reported the theft to the authorities.

Because of the research carried out before the fraud, and the way it is specifically targeted to the right person in the firm, the chances of success are increased. Most anti-malware programs look for certain characteristics in phishing emails, but in these instances they are well written, will not contain a tell-tale attachment and come from a legitimate looking address. In addition, junior staff are less likely to push back on an instruction that appears to have originated from senior management, especially if a sense of secrecy or urgency is emphasised by the email and a phone call.

“BECAUSE OF THE RESEARCH CARRIED OUT BEFORE THE FRAUD, AND THE WAY IT IS SPECIFICALLY TARGETED TO THE RIGHT PERSON IN THE FIRM, THE CHANCES OF SUCCESS ARE INCREASED.”

The last few years has seen the term ‘phishing’ become part of our lexicon and brand owners now look at ways whereby they can offer protection to their clients, although due to the very nature of the delivery mechanism, they are often detected through victims being scammed rather than the attack being launched. The internet offers us an ‘always on’ sales channel, but monitoring real-time changes is problematic.

Most phishing attacks try to divert real web traffic for a brand to a website that looks convincing. Part of the trick is to have a domain name that looks similar (a typosquatted name) or matching in some way (a cybersquatted name) to one already in use. The best defence that a brand can mount in this case is to have an effective domain name monitoring solution that flags up any suspicious domain name registrations with data taken directly from the domain registries database every 24 hours.

However, most consumers do not look at the domain name when they arrive at a web page. Whether they have followed a link or clicked on a search result, if the website looks genuine they would have no reason to doubt its authenticity.

New methods

Email phishing is not the only method now used by the cyber criminals. As if we didn’t have enough jargon terms to deal with, there is another more that despite its simplicity, is a growing threat for brands and consumers alike.

‘Vishing’ hit the headlines in 2015 in the wake of a few high profile data breaches but it is not a new threat to consumers’ and brands’ financial details. Vishing (‘voice phishing’) is the practice of obtaining access to financial records or even an organisation’s network via a simple phone call. Presenting with credibility and representing a trusted brand to the victim, the fraudsters will look for a compelling event to use the data they have acquired to maximum effect.

There have been reported attacks, for instance, in which the criminals pretend to be from a major software company, and convince their victims that their computers have a virus that is causing wider issues. They aim to take control of their victim’s computer, at best charging a huge fee for removing the malware (which never existed) or sometimes, charging a fee and installing files that can either cause further damage or steal personal information to be used at a later date.

In another recent trend victims are targeted after a data breach, encouraging them to move their money to a new bank account that is ‘safer’. The fraudsters use personal information that is in the public domain, apply call number masking and fake background noise to give the call a sense of legitimacy and authenticity.

Vishing is a growing threat for financial institutions that consumer education tries to address, but unfortunately it uses a method of delivery that the organisations still use themselves, making it hard to defend.

Digital fraud and social engineering are nothing new. Our interaction and engagement with social media means we leave ever-growing digital footprints that could be used by bad actors. Consumer education, driven by brand owners, has never been more important but it also needs consumers themselves to be more suspicious of any requests or communication that seems out of the ordinary.

Stuart Fuller is director of communications at NetNames. He can be contacted at: stuart.fuller@netnames.com