Originally Posted On: wsj.com
With ‘social engineering’ schemes, cybercriminals trick employees into handing over valuable information.
Often it begins with an innocuous-seeming email from an internet domain that closely resembles the victim’s. The message may appear to come from the company’s chief executive or another senior executive. “Are you at your desk?” it asks. “I need your help with something.”
Only after the conversation has begun will scammers ask for what they really want—a transfer of money. But by then it is often too late. The victim believes he’s emailing his boss and makes the payment.
Security pros call this social engineering, and it is replacing malicious software as the weapon of choice for cybercriminals. Social engineering is a bit of a catchall phrase, but it is happening anytime hackers trick employees into sharing intelligence that helps the hackers find vulnerabilities in company systems and carry out attacks. In addition to increasingly personalized phishing emails, it often involves phone calls in which the criminals trick employees into handing over private information or account passwords. Some employees have been tricked into wiring millions of dollars to offshore bank accounts controlled by the thieves.
“Social engineering is essentially the easiest tool in the hacker’s toolbelt,” says Kathryn Sherman, a supervisory special agent with the Federal Bureau of Investigation. “All the information they need is available to them free online,” she says, because corporations have put more of our personal data online. “Less-technical hackers are using it to gain access to companies and are defrauding our economy for billions of dollars.”
Today about a third of all cyberattacks start with social engineering, according to research by International Business Machines Corp. and the Ponemon Institute. Five years ago the number was 19%.
Social-engineering attacks that include a detailed fraudulent business email are responsible for $12.5 billion in losses, the FBI says.
Behind the push
A few things are pushing social engineering to the forefront of online fraud. Companies like Apple Inc. and Microsoft Corp. have invested billions in improving the security of their products, and consumers have moved much of their data to cloud computing services, making conventional hacking less effective.
Don't Be Fooled
The three most common social-engineering techniques, according to the FBI
“Over the past five years they have made hardware and software really difficult to break,” says Christopher Hadnagy, chief executive of Social-Engineer LLC, a consulting company that helps companies understand these techniques. “Where we’re seeing the big vulnerabilities is in social engineering.”
Ken Bagnall, a vice president at the computer-security company FireEye Inc. says one reason these types of attacks are so effective is their use of what he calls psychological authentication. “If you have the name of their boss in an email, people will have a huge emotional response,” he says. “And all social engineering is based on emotional response.” The criminals are masters of techniques like these, Mr. Bagnall says. Phishing emails, for example, have 10 times the click-through rate of marketing emails, he says.
Def Con demonstration
At the DEF CON computer-security conference in Las Vegas in August, hackers made a sport of their social-engineering techniques. In front of an audience in a Caesars Palace conference room, they called and conned their way through the call centers of a variety of large companies, probing for security weaknesses, says Mr. Hadnagy, the organizer of this particular event.
The contest is meant to raise awareness about the problem, not to do anything malicious, says Mr. Hadnagy. “We demonstrate social engineering by actually making calls to people and getting random strangers to give you pieces of information they should never give you,” he says.
During the event, he says, hackers asked their marks a range of things. Who is the company’s caterer? What operating system is on the employee’s computer? Will they click on a webpage provided by the social engineer? Most of the callers pretended to be a co-worker calling in for some help. Some pretended to be with the company’s IT support group. One said he was a reporter working on a story.
Everyone who tried succeeded in fooling the company they called to some degree, Mr. Hadnagy says. And more than half of the contestants managed to con employees into visiting websites that they shouldn’t have, he says.
Companies are getting wise to social engineering, however. For example, at FACC AG , a maker of aircraft parts and systems that lost millions in an attack, education about social engineering is now a priority, says Andreas Perotti, a company spokesman.
The company’s IT department regularly sends out information on new scams and takes steps to educate new hires on this topic too, he says. “It is important to incorporate this education in the daily work life,” says Mr. Perotti.
Other companies are starting to factor social-engineering training into their compensation plans, says Dave Burg, a cybersecurity executive with the professional-services company Ernst & Young LLP. Employees who do well in phishing tests, for example, get paid bonuses. Those who consistently fail them can face sanctions or even termination, he says.
Written By: Robert McMillan
Mr. McMillan is a reporter for The Wall Street Journal in San Francisco. He can be reached at [email protected].
Appeared in the September 19, 2018, print edition as 'Hackers’ Prime Target: Your Mind.'