Frank Abigale, the notorious youthful con-man made famous by Leonardo DiCaprio’s film Catch Me If You Can, recently sat down with Rob Wright of TechTarget to discuss his thoughts on cybercrime and social engineering.
His perspective on the expectations of technology to triumph over good old fashion social engineering provides a great lesson to those firms thinking that technology alone can protect a company from cyber criminals.
“…there is no technology in the world, nor will there ever be, that beats social engineering. So if I call you and pretend I’m Bank of America and tell you to go through all the steps…and you follow my instructions, then I’m going to get to you.” – Frank Abagnale, Advisor for Trusona
For any company looking to expend their cyber defenses, they need look no further than social engineering prevention as their first layer of defense. The easiest way to steal from ANY company is to find a way to go from being an ‘outsider’ to an ‘insider’. To accomplish this goal means simply finding an individual within a company willing to (inadvertently) assist. This is where social engineering comes in.
The vast majority of social engineering attacks use fraudulent emails aimed at low level individuals for the purpose of gaining control of their user accounts within a company. Once they have secured control of those accounts, criminals promote their privileges until they have access to the information, accounts and systems they need to complete the heist.
The biggest challenge for security and technology professionals is that these resources LOOK like they are normal accounts. Most detection and prevention systems can’t identify these fraudulent user accounts until it’s too late.
No business is too big or too small to fall victim to this approach.
On May 25 2016, FireEye reported that “banks in the Middle East are being targeted by a ‘wave’ of cyber-attacks using advanced social engineering tactics to entice users to open malicious macro-enabled Microsoft Office documents.”
According to the report, criminals were sending waves of reconnaissance emails to see where potential weaknesses may lie. Included in the email were macro-enabled Excel files. The content of these emails appeared to be legitimate conversations between employees are from several banks.
Despite the significant security resources available at the bank, criminals still know the best way in is through the unsuspecting and unaware employee.
So as you look to improve the cyber defenses of your organization, start with 3 simple goals:
- Be aware: Educate the team on how to be aware of potential Social Engineering attacks and what to do if they are see something suspicious.
- Trust but verify: Send social engineering emails your own employees and see who opens them. Do not use this to punish or humiliate them but rather to educate and further train those who are not as aware as need be.
- Clean house: Leverage an industry grade spam filter to keep as many of the fraudulent emails out of employee in-boxes in the first place.
And then, as Frank Abagnale pointed out, “You have to constantly be aware of things that can happen to it and how people are going to try to beat it.” Social engineering is how, and you need to be ready.