Human Factored Cyber Attacks Will Cost You

Human Factored Cyber Attacks Will Cost You

Last week, IBM and The Ponemon Institute released their annual Cost of a Data Breach Report. For the past 15 years, the report has highlighted recurring and emerging factors that contribute to the cost of data data breaches, as well as the root causes of those breaches. One of the key findings in this year’s report is the fact that human factored cyber attacks not only make up a large percentage of the all malicious attacks, but also are incredibly costly to businesses that suffered breaches. This only confirms the importance of cyber awareness training for employees to limit the risk of a human factored attack.

There are many different causes of a data breach, some of which are merely accidental. However, according to this year’s report, malicious attacks now make up 52% of all breaches. This didn’t used to be the case. In fact, malicious attacks have seen a 24% growth rate in just six years.  Malicious attacks are also the most expensive, costing businesses an average of $4.27 million. That’s nearly $1 million more than all other causes of a breach.

Given the frequency and cost of malicious attacks, it’s important to look closer at the different threats that account for the rise in malicious attacks — and the data is surprising. While expected threats such as system vulnerabilities and malicious insiders are certainly present, human factored cyber attacks take up a large chunk of all malicious attacks. Threats ranging from phishing attacks, to business email compromise, to social engineering and cloud misconfigurations are all rooted in human rather than technical vulnerability, and account for 41% of all malicious attacks leading to data breaches.  Indeed this report correlates with what was presented in the Verizion 2020 Data Breach Investigations Report.

Human factored cyber attacks aren’t something you can protect yourself against strictly through technically safeguards. Instead protecting against these vulnerability requires working with employees, establish proper quality control protocols, ensuring your have the right expertise on your team and using cyber awareness training to help build safer online habits.

As a Fortune 100 CISO once told me, “at the end of the day, every cyber incident starts with someone making a decision.”

Cyber Criminal Minds

Cyber Criminal Minds

Nigerian prince email scams — also called 419 scams — are some of the oldest forms of cyber-attacks around. It’s easy to think that they’re just old news, now more the punchline of a joke than something that could actually happen. But the truth is, these scams continue to be highly successful. In fact, Americans lost $703,000 in 2018 by falling for them.  

How they work

The most famous examples usually involve a too-good-to-be-true investment opportunity or an urgent plea to help get money out of the country in exchange for a piece of the sum. However, as people started to catch on to the scam, the scenarios they scammers use began to change.  

But in whatever form, 419 scams generally follow a specific format. It starts when the victim receives an email (and more recently texts) out of the blue. The scammers will quickly try to build the trust of the victim, sometimes using official-looking documentation or even impersonating someone you know, with the goal of eventually getting the victim to disclose their bank account number and other personal information. At this point the scammers can access the bank account and withdraw any amount of money they want. 

The Better Business Bureau highlights a few of the most common form these scams take today: 

Beneficiary of a will

In this case, the victim receives an email claiming they were named the beneficiary of some long-lost relative who has left them large sums of money or valuable property. The email will request personal information to confirm the victim’s identity and of course ask for bank account information so they can transfer over the funds.  

Fake cashier’s checks – targeting online sellers

In this variation, a person selling something online is contacted by someone who wants to purchase an item. The scammer then “accidentally” sends a (fake) cashier’s check or money order for far more than the agreed upon price and asks the seller to transfer back the difference. Often, the scammer will claim they urgently need their money back so the seller will transfer the money before the bank can verify the check is a fake.  

Donation solicitations

Lastly, this scam involves the victim receiving a request for a donation to help fight against a corrupt government or violent group of criminals. The email will specify how urgent the need for money is and so request a money transfer for more immediate help.

Why they’re so successful 

Given how widely known this type of scam is, it’s a bit of a wonder that people continue to fall for it. But along with the fact that they’ve changed up the scenarios there are a couple of good reasons they continue to work. After all, they wouldn’t be so common if they weren’t successful 

Scammers are highly organized

We often think of scammers as some loner hunched over their computer in a dark room. But when it comes to 419 scams, there are entire organized crime circles devoted to carrying out these attacks. A 2019 CrowdStrike report breaks down how these scams are structured. At the top, a crime boss directs an entire team of “spammers, catchers, and freelancers” to carry out various aspects of the attack. Spammers acquire email lists and operate advanced mail systems. The catchers monitor the responses to the spam campaigns and make first contact with victims….in order to advance the scam. Freelancers perform additional duties such asacquiring and developing infrastructure and creating fake documents.” 

They exploit social vulnerabilities

Instead of looking for technical vulnerabilities to plant malware or other malicious software, the scams instead focus on our social vulnerabilities. Simply put, they look for ways to play on our emotions. 

In some cases, they’ll try to pray on our greed. In other cases, they try to make us feel like a hero. As social psychologist Dr. Frank McAndrew explains, “we get the opportunity to feel good about ourselves by helping another person in need…After all, what could be more noble than helping an orphan in need or helping some poor soul recover money that rightfully belongs to them in the first place?” 

They start small

Another way these scams work is by starting with small requests. Often the scammer won’t ask for much at first, but over time will claim they need more and more. And there are even psychological reasons this is so effective. In an article for Psychology Today, McAndrew writes, “Changing course is cognitively difficult because not only is it an admission of a bad decision, it also means giving up any hope of recouping our losses.” 

 

Even if it’s not from a Nigerian princereports show that email scams are on the rise. Not only could they lead to financial loss but could even expose the sensitive information of you and your company. That’s why it’s important to learn to identify these scams in all there forms and be extra cautious about anyone —even if it comes from someone you know— asking you to send money or other personal information over email. Taking the extra time to verify what’s really going could be what saves you from getting tricked. 

Learn Your BECs

In March of 2018, the director of the Dutch branch of the Pathé film company received an email from the CEO: “We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.” 

After some back and forth, the employee transferred 800,000. The days after, more requests were made a subsequently filled, resulting in a total of 19 million transferred. Only after did they discover these emails weren’t sent from the CEO at all, but instead from a spoof email address set up to impersonate Pathé’s chief executive.  

Situations like this are more common than you might think

While there were certainly a number of red flags that Pathé’s employee could have picked up on, business email compromise (BEC) schemes are actually a common form of cyberattack — and often successful 

This month, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, released an updated advisory on BEC schemes. The new advisory reflects just how easy it is for someone gather information on an organization and pose as a boss in order to mislead employees into transferring funds to outside account. 

In fact, instances of email scams are increasing. As the report states, the number of successful email scams have more than doubled between 2016 and 2018, with an average of over $300 million per month in attempted thefts. What’s more, the advisory shows these attacks are moving beyond traditions wire-transfer schemes to include virtual currency payments, automated clearing house transfers and even purchases of gift cards.  

How it Happens 

According to the advisory, scammers have become successful in impersonating leaders within an organization by identifying vulnerabilities within the targeted company. They accomplish this in two main ways. 

The first method is by gathering publicly available information. This could include information listed on an organization’s website, or even employee information found on LinkedIn and other social media sites.  

The second method is more nefarious, including “cyber-related reconnaissance efforts.” In other words, scammers gather more intimate information on an organization through methods such as phishing campaigns and malware.  

What You Should Do 

Of course, organizations cannot respond to these risks by closing themselves off to the outside world. Publicizing what your business does and speaking with potential customers is an important part of how business grow. However, there are common sense steps organizations can take to prevent the success of these email schemes. 

The FinCEN advisory suggests all organizations should assess their risk around business processes and practices. They suggest all organizations put in place a multi-faceted verification process for all electronic transactions. For instance, before any funds are transfered, steps need to be taken to verify all participants in the transactions are who they say they are. This includes using multiple means of communication (email, phone, etc.) and contacting others authorized to conduct transactions. Organizations should also put in place a step-by-step policy for transferring funds both within and outside the organization.  

The bottom line is that mail schemes succeed because someone’s been tricked. All organizations need to invest in proper training and awareness-building. In fact, after the attack, Pathé’s CFO stated that the company “never trained or instructed him to identify fraud.”  

BEC schemes can target employees at any level of your organization. Taking the time to teach all employees to identify fraudulent emails, and even simulating phishing campaigns can go a long way to prevent email scams from taking place.