Imagine for a moment that you’re one of a dozen employees at your company’s understaffed ITD (IT department) whose responsibilities include providing helpdesk function, patching and updating routines and ensuring a basic level of security protocols. This cloud-native company has just a few employees around the world. However, millions of customers use your company’s services online and their PII (personally identifiable information) is uploaded and stored on the company’s cloud servers.

One evening, just as you’re about to wrap up for the day, you get a series of urgent messages on WhatsApp and Slack asking you to authenticate a PIN. The message is from someone who claims to be part of the company’s internal security team but is based in another country. He says he has trouble logging in. He claims someone has compromised his password and PIN, and he’s trying to restore it. He says he’s been sending frantic messages to members of the company’s ITD in 10 countries. Everyone is busy.

At first, you ignore his messages. In the next 15 minutes, he sends 30 messages, each more desperate than the previous one. You respond via text, asking for his username and other details which he instantly provides. You crosscheck your database and find his name and PII details. You text your supervisor, but he’s not available; it’s already late at night. Your wife is waiting for you. In frustration and in response to a desperate 40th message, you give him the authentication PIN. He thanks you profusely and calls you a “Gift from God” before signing off. You rush home for dinner, unaware that you have just opened the door to a hacker who is going to hurt your company and ruin your career.

Time After Time

This is a story that has played out time and time again—companies invest millions of dollars into state-of-the-art cybersecurity systems, only to be brought down by a single, unsuspecting employee. Despite their expertise and resources, tech companies are just as vulnerable to cyberattacks as non-tech ones. In fact, their position as a hub of valuable data and innovative solutions makes them even more attractive targets. Moreover, the complexity of their systems and the speed at which they evolve can make them harder to secure and monitor effectively.

Take Uber, for example. In September 2022, a hacker stole a Uber employee’s Slack account. The hacker claimed to be from Uber’s ITD and persuaded another employee to hand over a password to gain access to Uber’s core systems.

It was not the first time. “In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded US$100,000 to delete their copy of the data, The New York Times reported in September last year. “Uber arranged the payment but kept the breach a secret for more than a year. Joe Sullivan, who was Uber’s top security executive at the time, was fired for his role in the company’s response to the hack. Mr Sullivan was charged with obstructing justice for failing to disclose the breach to regulators and is currently on trial.”

It’s a startling reminder that no matter how advanced your cybersecurity systems are, people will still be the weakest link. All it takes is one unsuspecting employee to compromise the entire organisation, leaving millions of users’ PII exposed. How can you protect against these “social engineering” scams?

Social engineering is a way of manipulating you into performing actions or divulging confidential information by playing on your emotional need to be nice, to do good, to be cooperative and kind. It starts by taking advantage of human psychology to gain access to sensitive data or systems. How can you spot a social engineering attack? Here are five attack variants in alphabetical order:

  • Authentication Attack:

    Also called “tailgating” and “piggybacking”, the attacker enters a restricted area by walking closely behind you or someone who is authorised to do so—usually by pretending to be part of the same team. Or an attacker impersonates a driver delivering food or packages. The attacker will wait for an employee to open their office door and confidently enter.

  • Baiting: Baiting is like fishing; the attacker attaches the bait and waits for you or someone to bite. Or he strews a bunch of infected USB thumb drives in the parking lot and waits for someone to plug it into their laptop, which will download an infected file. Or he sends a bunch of employees a malicious file disguised as a software update. Or he entices the “mark” to visit a compromised website, which is called a “watering hole”.

  • Calling: It could be simple phone calls. Or “pretexting” or masquerading as someone else to obtain PII via SMS, WhatsApp, WeChat, or others. In one case, an attacker impersonated a female IT helpdesk officer (who had resigned a couple of months ago) and carried on a routine conversation with dozens of staff before the pretender—who was male—was discovered.

  • Dovetailing: Baiting offers you something for nothing; dovetailing offers you a reward for something, such as filling up a survey form or answering three simple questions. They email the results of the survey to you—with a malicious code embedded. Or you visit a website and click on a blinking box that says you’ve won an iPad; all you need to do is fill in your credentials so that the iPad can be sent to you. Many people fall for this scam.

  • Executive Whaling: A “whale” is a top executive, usually from the C-suite (CEO, COO, CFO or CIO), typically from large organisations such as banks, retail chains, MNCs or government agencies. In one method, they send a scam email with the logo of a government agency or a bank to top management, asking for their urgent attention. In another, the hacker emails directly to the CEO/COO/CFO/CIO, claiming that the message contains confidential whistle-blower information about corruption in the company with an infected .pdf or .jpg file.

Inside Job

Threats from outside the company are an enormous concern for cybersecurity teams, but there are significant threats inside corporate walls as well. The very people who are closest to the data or other corporate assets can often be a weak link in a company’s cybersecurity programme. This happens when they share passwords or files over unprotected networks, click on malicious hyperlinks sent from unknown email addresses, or act in ways that open corporate networks to attack.

Threats from inside the company account for roughly half of all data breaches. “Business and cybersecurity leaders must collaborate on ways to improve the internal risk culture,” advises a McKinsey study. “They must educate all employees about the realities of cyberattacks and best practices for fending them off—holding town meetings, mounting phishing campaigns, or staging war-game presentations to familiarise employees with potential threats and raise awareness.”

Many of these activities will need to be led by the CIO (chief information officer) and/or the CISO (chief information security officer). “But none will be fruitful if the company’s business leaders are not fully engaged in a dialogue with the cybersecurity function and if companies don’t build explicit mechanisms for ensuring that the dialogue continues over the long term,” McKinsey adds. “Business leaders must realise that they are the first line of defence against cyberthreats. Cybersecurity is never the sole responsibility of the ITD.”

How do you foil such attacks? There are no easy ways to do so, except to “STOP” it with:

  • Situational awareness: Be aware of your environment, be alert to any strangers trying specially to get physically close to you.

  • Tailgaters must be treated with suspicion, more so if you have not seen them in the office before.

  • Obey security protocols recommended by your office or workplace. Don’t discuss confidential company issues in public places. Observe security best practices even when not in the office.

  • Phishing whether via emails or phone calls, is the prime poison used by predators to hack into your account, steal your identity and cause damage in your name. Alert your information security department if you suspect you’re being baited.

Before we end, let’s remind ourselves that even the largest companies can be at risk. A Lithuanian national, Evaldas Rimasauskas, engineered one of the biggest social engineering attacks, which were against Google and Facebook. Mr Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook; he also set up bank accounts in the company’s name.

The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided—and directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Mr Rimasauskas and his associates cheated the two tech giants out of over US$100 million.

 

Raju Chellam is on the Exco of SGTech’s Digital Trust, and Cloud & Data Chapters.