Social engineering is a method cybercriminals use to take advantage of your trust and infiltrate your network. This happens to both individuals and large corporations. Here are 3 recent social engineering attacks and what to learn from these events.
1. Robinhood Markets Inc. (2021)
Robinhood Markets Inc. suffered a data breach on November 3rd 2021 where 7 million customers had their details stolen. The company reported that an unauthorized third party obtained access to the person information of a portion of their customers in this data security incident. While Robinhood did not provide specific details, the company reported that “the unauthorized party socially engineered a customer support employee” over the phone, obtaining access to certain customer support systems.
5 million Robinhood customers’ email addresses were obtained, and another 2 million had their full names obtained. A smaller number of people – a total of 310 – had their names, data of birth, and zip codes exposed with approximately 10 of these customers having more extensive account details taken.
After they detected and contained the data breach, the unauthorized party demanded payment to not release the stolen information. Robinhood promptly informed law enforcement. They are currently investigating the incident with the help of Mandiant – an outside security firm.
2. Shark Tank’s Barbara Corcoran (2020)
Barbara Corcoran – one of the five investors (or “sharks”) to ABC’s Shark Tank – was targeted by a cybercriminal looking to steal her money. The cyber attacker utilized business email compromise (BEC), a lucrative attack method that utilizes social engineering, to take her money.
In this event, Corcoran gave a firsthand account in February 2020 on how a scan targeted her and her office, stealing almost $400,000 of her money. Like most social engineering practices, the attacker(s) clearly did their research and preparation prior to the attack. The attacker, while pretending to be Corcoran’s assistant, sent her bookkeeper a fraudulent email with an invoice payment related to a real estate renovation. This email was sent with a fake email address with only a difference of one character. As such, the fake email was easily missed by the human eye.
Furthermore, there was little reason to be suspicious of the transaction because Corcoran invests in real estate often. After completing the transaction, Corcoran’s bookkeeper copied her assistant’s correct email address which brought light to the fraudulent transaction. Unfortunately, they only identified this attack after the payment had been completed. As such, Corcoran and her team were unable to get her money back.
3. Toyota (2019)
Back in 2019, Toyota Boshoku Corporation – a car components manufacturer part of the Toyota Group – announced that one of its European subsidiaries lost more than $37 million. This social engineering was also a BEC attack. The company mentioned that a fraudulent payment directed by a “malicious third party… resulted in a financial loss at our European subsidiary.” The expected loss was approximately $37 million at the time.
Toyota found the fraudulent transaction after the leakage. The attacker used BEC to target a Toyota Boshoku finance executive. The transaction was meant for another recipient, but with social engineering, the attacker was able to persuade this finance executive to change the bank account information in the wire transfer.
How to Detect Social Engineering
Clearly, regardless of how well-known an individual is or how large the corporation is, there will be someone who falls for a social engineering attack. What can you do to prevent yourself from falling victim to social engineering?
As seen with Corcoran’s BEC social engineering case, you should always look at the email carefully. A single letter difference in an email can make a $400,000 difference in your wallet. It’s hard, of course, to find those single letter differences, so it is always best to double check with relevant staff and superiors.
Other things you and your organization can do prior to a social engineering attempt is to implement risk assessments throughout your organization. These risk assessments will evaluate the weakest point in your organization’s security, including who is most likely to fall for a social engineering attack.
Security Awareness Training
After determining who is most likely to fall victim to a social engineering attack, it is important to implement security awareness training. This should not be a one-time training. Instead, security awareness training should be an ongoing activity to emphasize its importance. Continually refreshing good security practices will ensure security is top-of-mind among employees. Employees keeping security in mind is the first defense your organization has against social engineering.
How to Avoid Social Engineering Attacks
Social engineering attackers intentionally design their communication to target human nature and characteristics. As a result, they are hard to detect and avoid. However, there are still ways you can detect – and thus avoid – social engineering attacks.
Check the Source
Always check where the communication is coming from. Be suspicious of all types of communication and materials you don’t recognize. For example, if you find a USB stick mysteriously on your desk? Don’t insert and open it on your computer! You received a phone call to inform you that you’ve received a hefty inheritance? Too good to be true! You received an email with a link claiming to give you a gift card? Treat all links as suspicious!
Checking the source for any suspicious communication is the easiest way to protect yourself from social engineering. For example, you can check a sender’s email address to ensure it is the correct email address. You can also hover over hyperlinks to check if the links are suspicious.
However, checking the source is not failproof. As seen on Corcoran’s BEC situation, sometimes, it will be hard to catch the difference in a cyber criminal’s email address. However, when in doubt, you can always reach out to an official representative.
Break the Loop
Reaching out to an official representative “breaks the loop” with the cyber criminal’s correspondence. Attackers who use social engineering usually depend on a sense of urgency. They hope their targets will not think too much about the situation. As more time passes, the cyber attackers are more likely to get caught as a fake. This is why cyber-attackers emphasize the urgency of a matter in their communication.
However, no matter how urgent a matter is, you should always be cautious and suspicious of any transaction. You can double check the legitimacy of a transaction by ringing the official number or going to the official website URL. This way, you will avoid giving out sensitive data over the phone to a stranger. Going to the official website URL will also allow you to avoid entering a suspicious link.
No one is immune to the thread of social engineering. Therefore, the best way to address this is by educating the people within your organizations on best practices on how to not fall into a social engineering scheme. Whether it’s email or text, always remember to check the link or attachment prior to clicking on it. Always be suspicious of urgent orders – especially those that involve a lot of money.
Social engineering attacks are all hard to spot because cyber criminals use email, text, or voicemail to initiate the threat. Therefore, recognizing and identifying a social engineering technique will take time and effort. However, staying aware of what social engineering can do will help your organization avoid suspicious transactions.
If you found this blog useful, please share with others: