Social engineering prevalence & losses
In a recent report on Internet crime by the Federal Bureau of Investigations (FBI), social engineering is presented as one of the main techniques that is used by cybercriminals to carry out fraud.
Losses that result from social engineering are ten times higher than losses that result from identity theft and 200 times higher than those that result from ransomware.
In the FBI report it is noted that this type of fraud “is constantly evolving as scammers become more sophisticated” and that the FBI’s Internet Crime Complaint Center (IC3) has “observed an increase in the number of BEC/EAC complaints.” (BEC represents business email compromise and EAC represents email account compromise, where both are executed via social engineering).
From the report it is has been found that this type of scam is prevalent, on the rise, and that losses are high.
Considering the risk and damage caused by social engineering, it is important for an organization’s finance teams to be aware of the methodologies and technologies that are used by cybercriminals to carry out these scams.
The technologies used by cyberfraudsters to execute social engineering scams includes those that enable phone number spoofing ,hacking into email systems, and deep-fake voice cloning software.
These technologies have become widespread for executing social engineering against finance executives, accounts payable teams, and procurement personnel.
The risk of manual controls
In 2018, the SEC published a report on its investigation of nine companies that lost a total of over $100 million due to various types of social engineering attacks.
As part of the report the SEC notes the requirement of companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with management’s general or specific authorization.”
It also noted that “internal accounting controls, by their nature, depend also on the personnel that implement, maintain, and follow them.”
In other words, while on the one hand the SEC calls upon organizations to implement accounting controls that will combat fraud, on the other hand – it also notes that these controls can only be as effective as the individuals who carry them out.
With the human factor being the weakest link in the security chain, manual controls are insufficient for mitigating the risk.
The SEC and FBI investigations
The fraud cases that were investigated by the SEC and FBI included two main categories of attacks:
Emails from fake executives: these are emails that come from persons purporting to be company executives. The emails are sent from a spoofed email domain and address of an executive (typically the CEO) making it seem that the email is legitimate.
In the cases investigated by the SEC which involved emails from fake executives, the spoofed email directed the organization’s finance personnel to engage with a supposedly legitimate external attorney, who is identified in the email and who then directs the relevant finance employee to execute a large wire transfer to a foreign bank account that is controlled by the fraudster.
Emails from fake vendors: this type of cyberfraud involves assuming the identity of the organization’s vendors. After hacking the vendor’s email account, the perpetrator makes a fraudulent request for payments and/or payment processing details.
A correspondence then ensues with the relevant finance personnel at the paying organization, and a request is made to execute changes to the vendor’s bank account information. In this case, doctored invoices which include the new (fraudulent) account information are often attached to the email.
As a result, the organization makes a transaction on outstanding invoices to the (often) foreign account that is controlled by the fraudster, rather than to the valid accounts of the legitimate vendor.
The above noted types of social engineering attacks have also been found recently to be used in new types of schemes, which include – the subsidiary attack.
Known cases of subsidiary attacks include victims such as Nikkei, Toyota, Leoni, and Tecnimont. In this case, cybercriminals opt to target the company’s subsidiary and exploit the longer communication chain that would need to be tracked in order to pick up on any potential wrongdoing.
Further to the data provided by the FBI and SEC, the main findings from the respective reports include:
- Social engineering related losses are growing year over year.
- Social engineering techniques continue to evolve, with recent cases showing an increased use of advanced technologies such as real-time voice cloning, phone spoofing, and email system hacking.
- Global entities with multiple subsidiaries, headquarters, and branches are more likely to be attacked.
- Current methods for identifying social engineering still rely primarily on manual controls.
- One out of every three employees fail social engineering training. Accordingly, manual controls can only partially address the social engineering challenge.
What organizations should do
As cybercriminals are continuing to exploit the vulnerabilities in an organization’s systems and people-lead processes, it can be noted that control environments that are based on manual controls are ineffective.
Organizations need to review policies and controls to make sure they take into account the fact that their digital applications and voice communication are likely or have already been spoofed or manipulated.
For an organization to prevent falling victim to social engineering, it must include automation in its internal controls for:
- Validating bank account ownership: organizations should incorporate tools to query bank account ownership information collected from trusted third parties and directly validate whether an account belongs to the vendor who is making the request before the change is applied to the vendor master data file.
- Real-time automatic monitoring: of ACH and wire payments to ensure that payments are sent only to accounts whose ownership has been duly validated in advance.
- Protecting email communications: implement fraud detection tools that flag external emails, emails sent from suspicious domain names, emails whose “reply to” is different than the displayed sender address, and the like.
The above automation should be used in conjunction with existing manual controls such as:
- Confirming requests through direct communication with the vendor, whether by email or telephone: though, never by using the same email address or phone number that appears on the caller ID window or which appears on the invoice from the requester. Confirmation requests should also be sent to more than one stakeholder at the vendor organization.
- Training of employees with periodic refresh sessions.
- Limiting access to master data files and establishing a master data team that holds sole ownership over master data updates.
- Segregating duties by requesting approval from several approved and authorized stakeholders regarding sensitive changes.
Since manual controls are easy to bypass and hard to track, the key to preventing social engineering lies in the introduction of automation to internal controls.
Automation will mitigate the risk of the human errors that lead to fraud-driven financial losses. By automatically monitoring payments in real time, automation can stop an attack before it happens and before a payment is executed.