- Götz Schartner
- CEO, 8com
Fake Identity Fraud: Protection through Awareness
by Götz Schartner, CEO, 8com
In the last few months, two types of social engineering attacks have been causing concern among executives of global corporations, banks and government agencies. Criminals posing as CEOs, presidents and contractors have managed to persuade employees to transfer funds to their bank accounts, leading to damages of around EUR3m in the first half of 2016 in Germany alone. How can companies protect themselves against social engineers out for their money? 8com’s experience has shown that information security awareness is the key.
After news broke in August of 2016 that Leoni AG, one of the world’s leading wire and cable manufacturers, had been swindled out of EUR40m by a social engineer using nothing but email, the company’s stock dropped almost 7%. How could this have happened? A two-week investigation by law enforcement and the company itself revealed that a young woman working in the finance department of Leoni’s factory in Bistrita, Romania, received an email, seemingly from senior German executives. She believed the email to be a genuine request for a transfer EUR40m out of the company’s bank account. According to unconfirmed reports, the money was switched into accounts in the Czech Republic.
This case of CEO fraud, also known as fake president fraud, reveals the problems and challenges facing companies when it comes to social engineering attacks. Unlike conventional hacking attacks, criminals don’t rely upon malicious software to infect computer networks. This makes conventional protection, like firewalls and antivirus software, ineffective. The social engineer’s target is the human operating system. In order to develop strategies to deal with fake identity fraud, one must take a closer look at the methods used by social engineers.
At the heart of every social engineering attack lies the exploitation of positive human properties, like kindness and trust, to bypass the human firewall. Employees are tricked into doing what the attackers ask of them by conscious and subconscious manipulation. To set up a successful play, as the main phase of an attack is called, they engage the target and provide pretext for interaction. In the case of CEO fraud, social engineers count on the willingness of people to comply when a request comes from a figure of authority.
CEO fraud
Let’s look at how a case of CEO fraud could take place. An employee in the financial department of a company receives a phone call from a man introducing himself as a lawyer and is asked about an important transfer of funds, allegedly on behalf of the CEO. The employee informs the caller that he is unaware of any transfers and decides not to take any further action for the time being. Later, he gets an email, supposedly written by the CEO himself. It informs the employee that funds needed for the strategic acquisition of a company have to be transferred and that he was specifically chosen for the task, based on his past performances and discretion. Further information would be given to him by the lawyer. Over the following days, the employee’s correspondence with the lawyer and the CEO intensifies. He is told not to talk to anyone about the matter, signs an NDA and finally receives the bank account information he needs to transfer the sum of several million euros. After the transfer, the communication suddenly ends. The employee doesn’t get any more emails or phone calls from either of the involved parties.
At this moment, it might dawn on him that he was tricked, that he wasn’t actually corresponding with the CEO, or even a real lawyer. In a panic, he decides to ignore the NDA and talks to his supervisors. The money, meanwhile, has already been withdrawn by the attackers.
As we can see, an attack like this doesn’t require sophisticated technological savvy, but a deep understanding of the human psyche. Every successful social engineer does a great amount of research before starting an attack. He might even create a psychological profile of the target based on freely accessible information on websites and in social networks. Nothing is left to chance. In some cases, employees might become sceptical and deny payment. Others are easily duped. After all, who wouldn’t comply with the request of the head of a company, especially if he or she was ‘the chosen one’?
Payment diversion
While CEO fraud serves as an example for a relatively complex form of fake identity fraud, payment diversion scams are a lot simpler, but just as efficient. Criminals do not pose as heads of companies, but as contractors awaiting payment by the target company. They send emails to the responsible employees, letting them know that there is a new bank account to which all future payments have to be transferred. The money, of course, goes right into the criminals’ pockets. This mode of attack is less sophisticated than CEO fraud and the profits are lower, but the interaction is impersonal and doesn’t require any knowledge of human psychology and behaviour.
[[[PAGE]]]
Prevention strategies
Fortunately, there is a way to prevent companies from losing money to criminals as a result of fake identity fraud. Over 26 years of experience have shown us that information security awareness is the most effective way to do this. Employees have to know how cybercriminals work, how they manipulate their victims and how to develop a strong sceptical attitude towards unusual requests. And most important of all: they have to understand that they themselves are responsible for the safety of confidential information and for their behaviour inside the digital sphere, not the IT department, not firewalls or antivirus software.
Just as social engineers use psychological tricks to manipulate the behaviour of their victims, we take a psychological approach when raising their awareness of information security issues. There is no choice but to take preventive action. Once money is transferred, it is almost impossible to get back. Our fraud prevention strategy incorporates a variety of measures to reduce the risks posed by CEO fraud and other instances of fake identity fraud. Phase one consists of a thorough analysis and, if necessary, improvement of payment processes and the handling of changes in bank account details. Target groups are identified, the course of action and timetables are co-ordinated with our client. In phase two we actively raise awareness of fake identity fraud among employees. Participants of our workshops experience realistic fraud scenarios at their own desks when we show them how easily emails can be manipulated. Web sessions aim at further raising the awareness level by imparting knowledge and offer deeper insights into typical fraud methods. Short videos, user guides and interactive web-based training allow employees to educate themselves whenever they can find the time.
After going through an extensive and sustainable awareness programme such as ours, employees understand the threat and the potentially catastrophic consequences social engineering attacks can have. As a result, they will avoid transferring large amounts of money without making sure the requests are legitimate. Criminals are aware of this, of course. We will undoubtedly see new and increasingly creative variants of electronic fraud in the future. That’s why it is crucial to keep the overall information security awareness at a high level by continually training old and new employees. Even if awareness is no panacea, it is the most effective way to make sure fraud attempts are identified and averted, before criminals have filled their pockets with company money.
|
8com Founded by CEO Götz Schartner and his wife in 2004, 8com has become one of the leading providers of information security services in Europe. Among its clients are small and medium-sized companies as well as global corporations, banks and government agencies. Together, their goal is to develop strategies to achieve the highest possible level of information security. 8com employees are professional penetration testers, information security consultants and information security awareness experts. The unique combination of technological expertise and immediate insights into the world of cybercriminals enables them to draw from invaluable experience. |
Götz Schartner As CEO of 8com and professional penetration tester, Götz Schartner experiences the effects of cybercriminal activity at first hand. Around 50,000 people are thrilled by his talks on information security and live hacking demonstrations every year. Schartner is always on the search for new developments in electronic crime and conducts active research on the goals, methods and motivations of cybercriminals. |
CYBER SECURITY WORKSHOP Concerned about cyber threats to your treasury? Join TMI and 8com for an intensive 1-day workshop designed to give treasury professionals the skills to protect their company and their department from the dangers of modern cyber crime and fraud. Leave the session armed with a cybersecurity action plan - able to immediately implement progressive security measures in your business. |
