Conman Frank Abagnale, as a teenager, once rented a security guard’s uniform from a costume shop and stood in front of a cash dropbox, after taping on a sign on it saying, “Out of Service: Place Deposit With Security Guard on Duty.” People drove up, handed him their dropbox deposit bags, and drove away.
You could say Frank Abagnale utilized social engineering by manipulating people’s beliefs so that they would misplace their trust. In this case, they trusted a person in uniform, and, sadly, didn’t question how a gravity-fed dropbox could be out of service.
Today, email technology lets con artists like Frank Abagnale reach out to potential victims around the globe, trying to win their trust—and take their money—through carefully crafted emails. The process is called phishing, and it is a common type of social engineering scam used today. The results, in the absence of effective email security measures, can be frightening as these four examples show.
1. Missed Delivery
What dutiful employee would want to stand in the way of an office delivery? Especially if they get an email allegedly from a delivery company saying its courier was unable to deliver a package to that office. The package, says the email, can be claimed at the delivery office with the presentation of a receipt. First, the recipient must click a screen button to print the receipt. There are no requests for information that would trigger the suspicions of trained office workers. There’s just that one convenient screen button.
Of course, clicking it triggers an infection, and the hackers thereafter get all their questions answered automatically through spyware. If the recipient was suspicious, the old trick of hovering the mouse cursor over the button to see its link might have given the scam away, as the link was not to the delivery company’s address. But deliveries do get missed, so why would anyone be suspicious?
2. Infected Spreadsheets
A data breach at a software security firm began when a list of low-level employees received phishing emails with an attached Excel file. In all cases it went into their junk email folders. One recipient saw it and was intrigued by the title of the file, “Recruitment Plan,” and opened it, probably thinking it was an HR file that had been sent to the wrong address. Instead it was a trojan that exploited a flaw in Adobe Flash that was patched one week after its discovery. The phishing email, however, arrived during that intervening week.
Thanks to the infection the attackers were able to gain administrator-level control of the system, and were discovered only when they began transferring files out of the system. The breach eventually cost the firm $66 million.
3. Traveling Boss
An employee at a manufacturing firm in Ohio wired $315,000 for materials to China, at the request of her boss, who was traveling overseas. That was business as usual with him. What was not business as usual was the formality of the language in the email that instructed her to make the payment. After she initiated the transfer she responded to her boss, asking if she should inform the CEO.
His response was even stiffer—and she knew that wasn’t her boss. She looked harder at the original message and realized its domain name was one look-alike letter different from the firm’s real domain name.
She was able to get her bank to cancel the transfer before the money moved. Later investigation showed that the deceptive phishing domain had been set up that very morning.
4. Fake CEO
A commodity firm based in Omaha lost $17.2 million when an employee responded to emails that he thought were from his CEO. These instructed him to send the money in installments to a firm in China as part of an overseas expansion plan that he was told to keep secret. Since there was an actual expansion plan underway the employee did not question the request, even though the email address it came from was not the CEO’s standard address.
The scan also involved a fake employee at a real accounting firm that was then working with the victimized firm. The scammers used email addresses in Germany, France, and Israel, and a server in Moscow.
All these phishing exploits were examples of social engineering—the victims were presented with a plausible scenario, one fitting their preconceptions, and they accepted it. But they are also examples of email from complete strangers being delivered and acted on. With a proper email security system, those emails would never have shown up in the victims’ inboxes.
Sendio’s Opt-Inbox solution can assure that all arriving email is from verified, legitimate correspondents, and the risk exposed through social engineering is minimized. You can request a demo to see just how effective it can be in keeping your organization safe.