On Thursday, 24th November 2022 the Met Police lifted the media embargo to report on the largest fraud case because of social engineering. It has been reported that £48M has been taken collectively, with one victim reportedly losing £3m. Sky News’ report can be read here: UK’s Biggest Fraud Sting Takes Down Phone Bank Scam that Conned Victims Out of Millions
How has this happened?
The “cyber criminals” “threat actors” “scumbags” whatever term you prefer to use have done the following:
- Acquired breached personal data from the dark web (their targets)
- Used OSINT techniques to cross-reference their targets (https://osintframework.com)
- Created a plausible scenario, for example, “I’m calling from the fraud team from your bank”
- Spoofed telephone numbers
- Called an unaware victim with a plausible scenario and factual data and trick you into moving your money to them
The other scenario they were using, where as described in a previous blog: We (nearly) got Phished: How Staff Complacency & Misconceptions are your BIGGEST Threat – Essentially, hitting a member of staff pretending to be a senior member, assuming the lower-ranking member will be docile and subservient to their perceived power and trick them into purchasing gift vouchers, Stream seemed to be their preferred choice although Google, Amazon, and Apple were also popular.
The threat actors used some technical tools that are readily available, if you know where to look, but the attacks themselves are not actually that complicated. It just requires a little bit of research up front as compromised data from the dark web can often be very quickly corroborated by simple online searches, you’d be surprised at the amount of information that is available on open Facebook profiles, LinkedIn etc.
Then you need the confidence to call the target: you know who they bank with, you’ve gleaned their date of birth, and you know their name. All you need now is brass balls to call the target, pretend to be the bank, make up a transaction that they haven’t made in a different area of the country, naturally they’ll say it wasn’t them, ask them some more pointed questions that relate to accessing their account and the job, as they say, is a good one. Account accessed and money withdrawn and sent elsewhere. Thank you very much. Easy-peasy.
It’s so common. These techniques are not new. Too many people fall for it.
What does this mean for your business?
These attacks have been mainly on the individual, but don’t get this twisted, these tactics (amongst others) can be used to elicit information such as client data, company finance information, intellectual property et cetera this putting your business, clients, and staff at risk.
How do we stop it?
Listen to the next snake-oil salesman scaring you into buying the next silver bullet? Nah, don’t be daft. We don’t live in the times of Demolition Man so we’ll never stop crime. We can, however, minimise it.
The advice, as uttered by every boxing referee before a bout is “protect yourselves at all times”. Build a barrier, do not share any of your personally identifiable information with anybody unless you are comfortable that they are who they say they are. Only share information with people on a need-to-know basis. Why would you want to share your personal details anyway?
Naturally, it’s disconcerting to receive a call out of the blue purporting to be the bank. In this instance do not confirm who you are. Terminate the call. Your bank will have a fraud team, Google (don’t click a link from a text you’ve been sent) call them yourselves and clarify whether the call was genuine. If something on a call feels unnatural, ie “why are they calling me, they don’t usually?” bin the call and make your own enquiries. This relates to any call, not just to bank scenarios. If it seems unusual, kill it. Loose lips, sink ships.
What about businesses?
Whilst there are technologies that can minimise dodgy emails (phishing), the way that we must deal with these social engineering attacks is education and testing your policies and processes. Most organisations will have their staff sign a policy during their induction which will warn them not to share certain data, but the reality is that the new member of staff in their enthusiasm will sign anything. Question them a few months later, and they won’t have a clue what they’ve signed.
The question is, how often are you testing your defences to a physical attack and your policies and procedures? Do you run regular phishing attacks? If so, do you provide education to those who fail the test and click the link? Is this clear and concise? Is it regularly updated with new methods and attacks?
What about the more physical assessments? Are you calling the offices and mimicking the actions of an attacker? What information can you elicit from members of staff from different departments? Can somebody enter the office unchallenged and leave with something?
Conclusion
Educate your staff. Then test them. Keep educating them. Use independent specialists to help.
We can help. Call our specialists on: 020 3855 0895