Criminals have figured out they don’t have to hack into computer systems or try to get Social Security and credit card numbers. They realized they could just ask for money. And that’s what they did.
Social engineering is when a criminal attempts to manipulate someone unknowingly, perhaps through a phishing attempt that uses email or text messages to try to get that person to divulge passwords or other credentials. Social engineering has also been successful with another simple request: money transfer. These attempts may be disguised in email requests that look like an invoice from a vendor, or appear to be sent from a senior executive inside the company.
“[A criminal] can literally just ask the person in charge of the money to transfer the money,’’ says Gabriel Bassett, a co-author of Verizon’s 2019 Data Breach Investigations Report. “You can skip all the hard stuff.”
Increasingly, the C-suite is the target of such expeditions. Verizon’s report says that 60 C-suite executives were targeted in 2018, compared to nine the year before. And 36 confirmed breaches involved someone in the C-suite giving the goods to the attackers, compared to just five the year before.
“Some of these phishing attacks are extremely well engineered,’’ says Adam Sedgewick, senior IT policy advisor with the National Institute of Standards and Technology. “The attacker might put months of work into convincing the executive [to transfer money].”
In fact, such social engineering has been on the rise from 2013 to 2018. A third of all confirmed breaches involved some kind of social engineering in 2018, according to the report. This increase comes as other types of attacks have decreased—notably, physical attacks such as hacking credit cards at a retailer’s point of sale. The rise of mobile devices has made social engineering easier, as smartphones tend to be smaller and harder to decipher. Additionally, peoples’ attention tends to be split when they engage with their phones.
So what’s the damage? In successful social engineering attempts, the median amount transferred was $24,000, Bassett says. One way to avoid fraudulent transfers is to have more than one person confirm that the payment is legitimate. There shouldn’t ever be one person with the power to transfer $24,000 from the corporate coffers.