Social Engineering Scams Evolve & Threaten Financial Institutions
Social engineering scams, one of the oldest tricks in the financial fraud book, still threaten financial institutions and other businesses through malware, ransomware and email attacks, per San Mateo, Calif.-based Agari.
Some 60% of more than 200 U.S. security leaders surveyed, by Agari and Information Security Media Group, know they either were or might have been social engineering victims during the past year, and 94% recognize social engineering, including spear phishing, as a significant business threat. In addition, 65% of those attacks involved employees' login credentials, and 17% concerned financial accounts.
The techniques cybercriminals are opting to choose right now should put finance departments on high alert. What makes these scams more dangerous is their development. “If you are thinking about the old social engineering attacks, like the Nigerian scams, those took a rather naïve person to believe it,” Markus Jakobsson, author (Understanding Social Engineering Based Scams) and Agari’s chief scientist, said. The enterprise facing attacks are very plausible because they are business email compromises disguised as everyday work activities such as processing invoices or acquisitions. “At work, it is your responsibility to take care of things that look like work.”
He added email-based attacks using social engineering are enabling cybercriminals to steal corporate secrets, carry out politically motivated attacks and steal massive amounts of money.”
Plus, it is not just a matter of educating staff. “What I am continuously surprised by is that people believe you can teach end-users to watch out,” Jakobsson, said. “Because my experience is that you can teach people about one particular attack but when the attack changes just a little bit they will be absolutely be unaware of this being an attack. I am not saying people are dumb I’m saying this is a complex topic.”
The archetypal Depression-era bank thief, John Dillinger was well-known for his sophisticated social engineering schemes, which ranged from posing as a bank-alarm system salesman to pretending to film a bank robbery scene in order to stake out potential marks. For his efforts, Dillinger swiped several hundred thousand dollars from 1933-1934.
Today millions are at stake at financial institutions. Jakobsson suggested, there is a lack of safeguards for internal social engineering type attacks at credit unions and banks. “People with admin access at financial institutions are much more prized victims because it is harder to say what is anomalous or not for such a transaction such as what happened in the SWIFT attacks.” It was a combination social engineering, malware and insider knowledge that led to the that compromise.
During one attack in February 2016, hackers used the SWIFT messaging system of Bangladesh's central bank systems to submit 35 payment requests to the Federal Reserve Bank of New York, transferring $101 million to bogus accounts in the Philippines’ Rizal Commercial Banking Corporation and a Sri Lanka-based financial institution. The New York Fed became suspicious and denied 30 of the requests, but not before the release of $81 million to a foreign exchange broker.
The Agari scientist noted that the big financial companies are more concerned about the scattershot attacks, whereas the small financial companies and credit unions should be more concerned about targeted attacks. “Credit unions also differ from larger financial institutions because they don’t have large in-house security teams. They are much more dependent on tools provided to them by third parties.”
Jakobsson observed that the top five credit unions in the U.S. have no active protection against email attacks that use identity deception (e.g. spoofs, look-alike domains, display name deception); three have adopted a domain-based message authentication, reporting and conformance strategy, an email authentication protocol, but haven’t fully implemented it (no quarantine or reject policy in place); and two haven’t yet adopted DMARC at all.
Agari provides defenses through its Agari Enterprise Protect, which safeguards against targeted email attacks; and Agari Customer Protect, which shields the enterprise’s brand.