Published : 6 years ago, on 24/08/2018

Andrew Avanessian, COO at Avecto

Social engineering, a common technique used by cyber criminals to deceive and manipulate individuals into disclosing sensitive information, used to have a reputation for being nothing more than a quick and simple email scam. Nowadays, the financial services sector is one of the highest targets in the world of cyber crime, due to the highly sensitive nature of the information that companies process and store. And so this simple scamming tactic has evolved to become one of the most sophisticated threats facing the industry.

The use of emails, attachments, social media platforms and phone calls to trick people into handing over confidential details is commonplace.

Research from Positive Technologies found that more than one in ten employees fall for social engineering attacks, and this number is likely to increase as the attacks become more advanced.

While scams such as fake phone bills or emails from unknown addresses asking you to click on links are now obvious, social engineers are becoming much subtler, and in turn convincing, in their approach. It all starts with an email address and employee name, which can easily be found online.

Then, using the masses of data openly available on the internet, and technology that can infiltrate devices in new ways, cyber criminals can craft tailored communications designed to trick a recipient into downloading malware, or even to convince an employee to hand over sensitive information or bank details. While many people may assume they’d recognise malicious scams, modern threats are extremely difficult for most people to spot, particularly when hackers will often ask for seemingly benign details about people, rather than financial details. Personal information is an increasingly valuable tool for hackers, and can result in very tailored attacks, making it even more important to keep all forms of personal data safe.

Examples of modern social engineering attacks include emails which appear to be from a senior staff member, using the same language that they would normally use, asking specifically for something you’ve been working on. Another may be an SMS message on your phone that appears in the same thread as messages from your bank.

By exploiting an individual’s trust and curiosity, social engineering attacks can be uniquely effective at infiltrating an organisation. Within the financial sector, there is still a common misconception that organisations are more secure than those in other sectors due to their compliance with stringent regulations. While this may be somewhat true, they are not automatically safeguarded from social engineering scams, and attackers can still strike unwilling victims.

All it takes is one employee clicking on one email link for malware to be downloaded and spread through an entire corporate system. Hackers will often try to get their victims to download an attachment, such as a Microsoft Word document, which allows them to easily launch malware within a company network. Therefore, combating these attacks should start with staff education. Encouraging employees to be more suspicious with regards to unsolicited communication, being wary of who adds them on social media and training them to spot potentially malicious content goes some way toward alleviating the risk of these attacks. Encouraging staff to regularly change their passwords and asking them to report anything they are suspicious about also helps to promote a healthy security culture within an organisation and keep the rest of the workforce alert to likely scams in order to prevent further breaches.

That said, it is important to remember that when it comes to cyber security, people are and will always be the weakest link. This is especially the case for junior members of staff who may have unnecessary access to sensitive corporate information. They may not be aware of the potential consequences of information such as company, staff or banking details falling into the wrong hands, and may be more likely to fall for communications purporting to be from a CEO or senior staff members demanding sensitive details to be sent over.

With hackers devising increasingly creative methods to obtain corporate information and using sophisticated software to launch attacks, sometimes education will never be enough on its own. Organisations, therefore, need to remain vigilant to these threats and proactive in their defence strategy. Preventing users from accessing data outside of their responsibility can help to alleviate the pressure significantly. Restricting employee access to the data needed to carry out their role means that if a hacker were to launch an attack successfully, the amount of data that they would be able to access would be greatly reduced. Combining this with application white listing, which can prevent unknown or malicious apps from launching, can stop social engineers in their tracks.

All of these methods lay the foundations for a robust security posture on which to build. Being aware of security threats, along with the different forms they can come in, ensures that financial organisations can start to take the simple proactive steps necessary to keep themselves, along with their employees and sensitive information, safe.