After hardening our corporate environment and improving our device management as the chief information security officer (CISO) with other organizations, I began to notice the threat landscape changing and evolving rapidly. Specifically, social engineering and phishing tactics shifted seemingly overnight and continued to stay steps ahead of our awareness training.
Instead of sending emails to corporate addresses protected with multiple security solutions, cybercriminals started doing their homework, using social media sites like LinkedIn to capture names, roles, and photos to build dossiers on individual users.
They then started engaging our employees through messaging apps like WeChat, Facebook Messenger, WhatsApp, and Signal. The cybercriminals set up accounts under the names of senior managers or executives from our company. They used names and photos they found on social media to mimic the person's name and likeness. They became very effective at becoming the person they were imitating.
After creating these social accounts, the cybercriminals then used them to reach out to unsuspecting employees. The employees saw the name and photo, and immediately assumed they were chatting with someone they knew. The fake account holder then asked them to make changes or process requests. They used the pretext that they'd been locked out of their corporate account or that they were looking at a merger and acquisition and didn't want to put the request into the corporate system as cover for instigating the request from a personal account. Next, they asked for a purchase order to be paid or for a bank account number to be changed.
When done legitimately, these requests typically followed standardized processes to prevent these exact types of scams. Yet, over and over again I saw how powerful these fake identities were in causing my employees to forget these processes. Instead, they genuinely wanted to help and truly believed that's what they were doing.
We had a few of these reported over the course of a week. This led to us crafting specific awareness training — a unique program for high-impact teams, including finance, human resources, accounting, and others. We adapted our annual awareness training to reflect this change in tactics. We also added examples of these types of attacks to our internal newsletters and communicated them to our entire organization.
Attackers will learn how to get to our end users. They have every incentive to do so. If they don't get to our employees, then they don't make money. They are financially motivated, and they will continue to adapt to find a way to be successful.
Here are six ways your organization can adapt to protect your employees and your business.
Conduct security awareness training
Ensure your organization is trained. Every user needs to be aware of these types of attacks and fraud attempts. They can detect, report, or simply ignore them if they have the right knowledge. This will not only help to protect the business, it will also help protect our employees in their personal lives, as they will be less likely to fall for these types of attacks against their personal accounts.
Update apps and mobile devices
All software has flaws. When a patch is available, it's always best to update it. Even if there isn't a listed security fix, things that are not part of the updated notes are being updated or fixed.
Encourage use of privacy settings
Most applications have privacy settings. Warn employees against leaving their accounts, profiles, and posts up for anyone to see. Apply privacy to prevent unsanctioned eyes from seeing your content. Don't allow pictures and personal information to be downloaded without the user’s consent. This won't be available on every platform, but it's always wise to set privacy settings to see the available options.
Focus on credentials
Encourage employees to use strong credentials when signing up for accounts. The last thing you want is for someone to compromise your account and then use it to trick your contacts. Mandate strong passwords and enable two-factor authentication where available or, better yet, multifactor authentication.
Think before you click
Explain the importance of being mindful of clicking links. Not every link is legitimate. Teach users to consider the context surrounding the link being shared before clicking on it. Where possible, hover over the link and see if the link is going to the domain you'd expect. When in doubt, don't follow odd requests.
Ignore sketchy messages
Establish a protocol for giving strange requests greater scrutiny. If it's a stranger, ignore it. If it claims to be from a known person, verify. Reach out via another method, like a corporate messaging solution such as Slack or Teams, or verify using a mobile number. Remember, often, employees want to help or avoid bothering a superior, so make sure they know that will not be the case.
In all my interactions with executives and senior business leaders, I have never had one complaint when I reached out to verify their identity or confirm one of their requests. So don't be afraid to do it. It's easier to confirm ahead of time than to explain why a predetermined process that led to the company losing money got ignored.
Cybercriminals and scammers are good at their jobs, and we wouldn't have ours if they weren't. They are social engineering experts. They know how to appeal to emotions and get people to act the way they want. But following these steps can reduce the risk of falling victim to their requests.
Stay safe out there, friends!
Read more Partner Perspectives from Zscaler.