Cyber security has increased attention as the scale and frequency of hacks, attacks and leaks continues to gather pace. The Federal Government has earmarked close to $10 billion over the next decade to bolster the nation’s digital defences1, while private businesses are taking their own steps to protect themselves.
While these actions will help protect systems, criminals are also well-versed at manipulating employees in an effort to bypass security controls. The holiday season creates opportunities for criminal actors to influence (or ‘socially engineer’) workers, including impersonating senior staff and executives while they’re on leave.
Here are three of the most common ways criminal groups exploit staff and how to protect against them.
Common criminal strategies
1. User credential theft
Social engineering – manipulating people into giving away data, information, or even control of a device2 is a common way credentials are harvested either for use by criminals themselves or to on-sell for profit on the dark web. Criminals do this by contacting targets directly through email, phone call, social media or messaging services like Skype and WhatsApp.
Criminals may pretend to be a legitimate business contact, such as a client, supplier, service provider or colleague – leveraging existing relationships to extract the information they need. This can include pretending to be an external IT provider with an urgent request, a colleague asking to update banking details, or a supplier with an unexpected invoice.
Criminals may also use social engineering tactics to install malware onto a business’ systems. This malicious software may enable them to remotely access devices and log keystrokes to reveal passwords and other data.
2. Executive impersonation
One worrisome social engineering trend involves impersonating senior executives within a business. This may be done in several ways:
- ‘Spoofing’ a business email account: Falsifying the ‘from’ email address to look like it comes from a senior staff member, then sending emails from this fake address to manipulate staff into taking action.
- Stealing a legitimate email account: Criminals may use an already compromised email account as part of their impersonation and then tamper with email communications from within the account.
- Hacking alternate communication channels: Criminals may take control of an executive’s Skype or WhatsApp account to bolster their credibility.
Under the guise of authority, criminals may pressure staff into making unauthorised payments or changing account details so payments are diverted into accounts the attacker controls. To generate payments, the criminals may even contact a business’ clients and attempt to sell products that are never delivered.
3. Supply chain compromise
Businesses are increasingly taking advantage of cloud technology, using services and software provided by third-party suppliers and facilitated through the internet. Executives need to remember that they are still accountable for the security of this data.
Over the past decade there have been several major data breaches where criminals attacked suppliers rather than their victims directly. One notable example is the attack on Target in the US in 2013. Criminals hacked into the business’ heating and ventilation provider and used this entry point to infect Target POS systems with malware, stealing millions of customers’ data and card details.
Supply chain compromise poses a significant threat, especially following the pandemic and the abrupt shift to ‘work-from-home’ it ushered in. Executives need to be mindful of their own system’s security, and conduct due diligence on their suppliers to assess:
- How robust a supplier’s defences are
- What kind of connectivity a supplier’s systems has with their own business’ networks
- How a compromised supplier would affect their business.
Securing your staff
Fortunately, Australian executives have a range of tools at their disposal to better protect against human vulnerabilities.
You can:
- Use strong, unique passphrases instead of passwords: Move away from passwords and think about passphrases. These should be far removed from simple dictionary words and are very hard to guess. Instead of using a pet’s name, for example, you could try a phrase like ‘MyPetGoatHasA$PhD’.
- Avoid re-using passphrases across services: A common mistake people make when setting passphrases is recycling them across different services. In this scenario, if a criminal successfully breaches one service, any other service using the same passphrase is no longer secure.
- Apply multi-factor authentication wherever possible: Multi-factor authentication requires users to undergo extra verification when logging in, such as providing an additional token. This critical security step should be part of businesses’ password policies, and enforced across company networks.
- Apply application controls: Criminals may try to install malicious programs and codes on a target’s device to enable access. Implementing application controls can prevent these programs from running, and in some cases prevent malicious programs from even being installed.
- Create clear processes for all transactions that staff should never deviate from: Do this even (or especially) when someone claiming to be a superior is pressuring them to act. Train staff to question any unusual requests.
- Independently verify unusual requests before acting: Try calling the person who’s made the request to confirm their identity – or a security adviser if the person is uncontactable. Never trust contact details supplied within a suspicious communication. Phone numbers should be sourced from internal lists or a trusted database.
- Train staff to be sceptical: Teach staff to remain vigilant. Put a clear reporting process in place so they can raise the alarm early if they do make a mistake or suspect a cyber incident. This will enable you to respond quickly and help minimise damage.
How CommBank can help
Talk to your Relationship Manager (RM) to find out how your organisation can be protected.
Want to know more?
CommBank is committed to protecting its business and customers from scams, fraud and other cyber attacks. For more ways to safeguard your information, search CommBank Safe.