Social Engineering’s Wolf in Sheep’s Clothing

By Robert Kluba, CISM, MCSE, AuditOne, LLC

Social Engineering is a technology threat that every bank faces. Banks make an ideal target for criminals employing social engineering tactics. This article will discuss the types of social engineering threats facing banks and the ways banks can attempt to mitigate their exposure to those threats.

Reformed computer criminal and later security consultant Kevin Mitnick points out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.

Social engineering can take a number of forms, such as pretexting, diversion theft, phishing, quid pro quo, tailgating or shoulder surfing. The focus of this article will be on pretexting and phishing, the two most common forms that banks face and the two forms that we, as a social engineering testing firm, place the most focus on with our testing. Pretexting is the act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. Phishing is a technique of fraudulently obtaining private information, most commonly through an email which contains a link to a fraudulent web page that seems legitimate.

As an introduction to the social engineering pretext attack, I will reference an attack which took place in December 2011 at Wells Fargo and was reported by Forbes magazine. This pretext incident allowed an attacker to trick Wells Fargo into wiring $2.1 million to a bogus bank account in Hong Kong. The attacker impersonated a client of Wells Fargo, obtained publicly available signatures and convinced an escrow office to wire funds to an offshore account. Banks of all sizes are susceptible to this kind of risk and steps need to be taken to mitigate that risk. The following are some basic steps any bank can take to reduce the threat of a social engineering pretext attack.

Step 1: Don’t trust caller ID. Technology can be fooled. Customer verification procedures need to be followed no matter what the caller ID says.

Step 2: Don’t rely on what an unknown or untrusted source says or implies. Successful pretext calling is all about gaining the trust of the person being called.

Step 3: Put policies in place. Effective policies cause minimal offense to legitimate requesters but can potentially deter pretext callers.

Step 4: Effective policies incorporate features pretext callers are known to dislike such as customer verification procedures which go beyond social security number.

Step 5: Remember that you, not the caller, are in control.

Step 6: Use diplomacy and tact in declining a request.

Step 7: Invest in a security education and awareness program to raise security awareness regularly.

Step 8: Train your employees to contact their manager and information security officer if a call seems suspicious.

Step 9: Management should support staff when they follow policy.

The second type of social engineering attack is the phishing email attack. According to a recent Huffington Post article, JPMorgan Chase customers were targeted by such an attack as recently as August 2014, when hackers sent bogus emails that prompted the customer to enter their account credentials and in an attempt to download malicious software onto their computers. This type of attack can happen to any bank of any size. The example above is a common example of a customer phishing attack. As this article is more focused on mitigating internal threats, the following are some steps a bank can take to reduce the risk of a successful phishing attack which targets bank employees.

Step 1: Invest in a security education and awareness program to raise security awareness.

Step 2: Organize regular campaigns to maintain user awareness. Education is not a once a year deal.

Step 3: Train your employees to call the bank’s help desk or contact their manager if an email seems suspicious.

Step 4: Tell users not to click on links, download files or open attachments in emails from unknown senders. Think before you click.

Step 5: Using a spam appliance or add-in is not a “fit and forget” exercise; maintenance is required, from manual oversight of the spam queues to maintenance of its parameter settings.

Step 6: Limit the impact. Ensure that anti-virus, anti-spyware and anti-malware applications are maintained and up-to-date, and that applications and operating systems are up to date and fully patched.

Pretext calling and targeted phishing emails are two major social engineering attack scenarios that all banks face. Pretext calling has been and will continue to be a threat for the foreseeable future. Steps can be taken to better protect the bank and the bank’s customer information against these attacks. Technology may help solve phishing email attacks in the future, but steps such as ensuring training and education are ongoing can be taken today to mitigate current risk. The protection of nonpublic personal information should be a goal of all financial institutions, and proactive steps are available to mitigate the risk of these threats.

Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 24 – December 2014.