It took Stu Sjouwerman, the founder and chief executive of security firm KnowBe4, of Clearwater, Fla., about two minutes to launch a successful social engineering attack against me.
Social engineering, also known as phishing and spear-phishing, is what hackers do when they want to trick someone into taking a particular action or divulging critical information online. These attacks are on the rise against banks and their corporate customers, where more money is on the line than in consumer retail banking.
Sjouwerman and I had never met before. As we talked on the phone about his research, I received an email from American Banker‘s editor-in-chief asking me what was wrong with a story I had just published on Bitcoin. The email contained a link to the story, to which I had appended a minor correction about 20 minutes before. (Like most reporters, I dread getting emails like this from my editor, and like most reporters, I also multi-task.)
“By the way,” Sjouwerman said. “Did you just get an email from your editor about a correction to a story you’d just written?
Hesitantly, I said yes.
“That was from me, and I’ve just social engineered you,” Sjouwerman said.
Sjouwerman, who creates so-called white hacks for a living, had run a sender policy framework (SPF) check on my email address, which told him it did not have an SPF record, and therefore my work email network was not configured under sender policy framework (SPF). He was therefore able to use a utility he created himself to construct the dummy email from my editor.
Phishing attacks are no longer mass emails that land in your inbox like silent booby traps, hoping you will click on a link that will direct you to a website laden with malware that then infects your computer. As Sjouwerman’s attack proved, such attacks can happen in real time, and they often reflect just a few minutes of highly targeted research about the victim, based on what’s readily available from the Web.
Often cyber criminals will use knowledge of both the bank and the bank customer to corrupt both sides in a transaction, Sjouwerman says.
Recent, high-profile break-ins against companies like email marketing company Epsilon and shoe company Zappos have enabled cyber thieves to walk off with millions of active email addresses and passwords. That information is like gold to cyber-thieves, who bide their time and use it to construct customer profiles to launch new attacks, experts say.
“The weak link is the people, both internal and external to the bank,” says Julie Conroy McNelley, a research director for Aite Group, of Boston.
Last year’s attack against one of the largest security firms in the world, RSA Security, in which hackers successfully spear-phished an employee, leading to theft of code RSA uses to create its security tokens, underscores how vulnerable employees are and how sophisticated the attacks have become, McNelley says.
More than 12% of small business owners have had funds stolen from their bank accounts, according to a September survey of 210 small business owners from Gartner. Of that number, 63% report the theft occurred through electronic funds transfer. The average amount stolen was $3,400.
Security awareness education is the most powerful weapon, says Sjouwerman, who estimates 20% of people at organizations across the board are most susceptible to phishing attacks. Education campaigns can be targeted at this least-knowledgeable group, experts said.
But there are other critical areas both banks and their customers must stay on top of, including making sure that computer networks are configured properly, that application software is up-to-date, and that computers are running the proper anti-malware and anti-virus programs, Sjouwerman says.