Beware of social engineers: 3 high-profile attacks you can’t afford to ignore
As news of another concerning Pentagon data breach makes headlines across the globe, we look back at three high-profile social engineering hacks and what they teach us.
While the exact number of social engineering attacks globally is difficult to determine, the 2022 Verizon Data Breach Incidents Report suggests 82% of breaches involve humans.
The most targeted industries
In the Phishing Activity Trends Report for the 3rd Quarter of 2022, the total number of phishing attacks reached a record high of 1 270 0883, equating to the worst quarter for phishing attacks ever observed.
In terms of industries targeted, the report found that attacks against the financial sector remained the largest, accounting for 23.2% of all phishing, while attacks against webmail and Software-as-a-Service (SaaS) came in at 17%; and retail/eCommerce attacks came in at 4.1%. It was also noted by the Senior Product Manager at OpSec Security, Matthew Harris, that: “The Logistics and Shipping sector saw a large fraud volume increase, led specifically by a large increase in phishing against the U.S. Postal Service.”
Specific to email-based threats, John Wilson, Senior Fellow in Threat Research at Fortra, noted that there was a “488% increase in response-based email attacks in Q3 2022 compared to Q2.” Such a steep and significant increase further demonstrates the need for additional security measures to stem the rising tide of email scams that pose a serious threat to organizations in almost every industry.
FIFA World Cup 2018 inspired scams
As a rule, cybercriminals tend to leverage the hype around global and national events in pursuit of lucrative dealings – and the 2018 FIFA World Cup in Russia was no exception! In the lead up to the event, countless scammers targeted soccer fans from all over the world with World Cup-themed phishing emails, particularly whenever match tickets sales would open.
Researchers from Kapersky Lab reported: “Every time tickets went on sale, fraudsters mailed out spam and activated clones of official FIFA pages and sites offering fake giveaways allegedly from partner companies. And as the event drew nearer, the cyber scams reached a fever pitch.”
In terms of the forms the scams would take, they included phishing emails offering ticket giveaways or the chance to win a trip to a match; spoofing mails fraudulently sent in the name of FIFA and its sponsors; fake, cloned websites intended to steal personal, financial, and bank card credentials; and social engineering tactics that offered enticing “special offers” to lure victims into opening attachments and downloading malware.
The FIFA World Cup’s phishing and spoofing attacks show the need for extra security measures due to the prevalence of “too-good-to-be-true” scams.
A Bank heist in Bangladesh
In February 2016, reports surfaced of a sum of $81 million pulled from accounts at Bangladesh Bank over just a few hours. Considered one of the biggest bank heists of all time, what set the hack apart was the difference in tactic. Traditionally, bank hacks involved stealing login credentials from account holders to gain access to the funds in their accounts. In the case of Bangladesh Bank, cybercriminals targeted the bank itself, and employed the SWIFT credentials of employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York, transferring millions of the Bank’s funds to accounts in the Philippines, Sri Lanka, and other parts of Asia.
The hackers gained access to the bank’s network through a phishing email that contained malware designed to cover their tracks. A stroke of fortune in the form of a printer “error” helped the Bank discover the heist and take steps to prevent the loss of a further $850 million. The hackers may have walked away with more if not for a typo in the word “foundation” (which the hackers misspelled as “fandation”) in one of the money transfer requests, which was noticed by the Federal Reserve Bank in New York.
For the banking industry, and related industries and organizations, the breach was bad news because it exposed vulnerabilities in the SWIFT network and the global banking processes. The hackers proved they were able to undermine the system that had, until 2016, been considered bulletproof.
When two tech giants lost millions
It may come as a surprise, but even tech giants, like Facebook and Google, are susceptible to falling victim to a phishing attack – and in this case, it cost each of them over $100 million, wired to a hacker living in Lithuania.
A textbook example of spear phishing, the attacks involved the targeting of specific employees with fraudulent emails sent from fake email accounts designed to look like they’d been sent from an authentic Chinese supplier. The emails also had fake invoice attachments, and the employees who received them responded by simply paying money into the fake company’s bank accounts.
While the unusual part of the story is that the hacker was caught, and some of the funds were recovered, it serves as yet another reminder of why these attacks continue to occur – and succeed – and it’s because of people.
Concerningly, even if the employees of these companies had received training on how to identify phishing and spear phishing attacks, it may not have been enough. A study shows that participants who received extensive training showed very little change in behavior three months later, still exposing themselves to credential theft and phishing scams.
When it comes to the challenge of cybersecurity, your systems are only as strong as their weakest link, and it takes just one human misstep to seriously compromise a system.
Given the central role played by humans in the success of cyber-attacks, it’s more important than ever to invest in security systems that mitigate the risk when it comes to protecting an organization and its employees. DMARC is one protocol that’s worth implementing, preventing the same email spoofing and phishing attacks that caused these three case studies.
Find out how we can help your organization protect its email domain and prevent unauthorized use that could see it serving as an example of the worst case scenario. Get in touch today and reduce your vulnerability to social engineering attacks and their devastating impact.
This article is originally published on Sendmarc. Click here to read the original article.