Social engineering, or the ability to get people’s attention with shocking messages, is one of the tools most used by threat groups to launch cyberattacks .
And it is that, if you receive an email in which you are told that you owe a telephone receipt, or that the Treasury is going to give you money, the normal thing is that, at least, you stop for a while to think if the communication is truthful. The same could be said of a message in which, supposedly, your boss at work asks you for information or money.
The CEO scam , which is how cybercriminals impersonate the executive on duty to get an employee to do what they want, has been causing problems for companies for years. At the end of 2019, this “trick” served to steal four million euros from the Valencia EMT .
Likewise, in recent months, there have been cases in which attackers have taken advantage of the health crisis to take advantage of the technique. In fact, it was recently learned that the Zendal pharmaceutical group , which was going to develop a vaccine against the virus at its facilities in Galicia, has suffered a loss of 9 million euros because of it .
“What is popularly known as the ‘CEO scam’ is technically called Business Email Compromise (BEC) and is a growing attack technique. They are highly personalized, high-impact attacks. These scams exploit the fact that more and more organizations are relying on email for business, both personal and professional, and it is one of the most financially damaging “online” crimes.
According to the FBI’s Internet Crime Report of 2019, BEC attacks were the fifth most common type of cyber attack, but in terms of losses, BEC attacks accounted for more than half of all losses due to cybercrime, ”Josu explains Franco, strategy and technology advisor at Panda Security.
And it is that, this type of attack is not only capable of providing the cybercriminal with a great economic return. Nor is it necessary to put too much effort into it . «Posing as an executive to change payment methods, or requesting electronic transactions from a provider, is very simple.
For example, if the cybercriminal knows that a company has a project that is going to be paid for, they only need to impersonate a company executive and talk to the person to make the necessary changes. If he pretends to be someone important, it is easy for him to achieve it, ”Eusebio Nieva, technical director of the cybersecurity company Check Point in Spain and Portugal, tells ABC.
Nieva highlights that these types of scams can develop in various ways . The criminal only needs to have a relative knowledge of the company and the objectives for the chances of success to skyrocket: “What they do before carrying out the attack is to put the company under surveillance.
They study it well. Sometimes they are infiltrated by a malicious code infection and sometimes it is not even necessary. When two or three things add up, they don’t need much more. Also keep in mind that a CEO, or account manager, does not know everyone in the company.
The same goes for the employee who has the ability to direct the funds that the cybercriminal wants. And that is precisely where one of the main dangers for the company under attack lies.
There are cases in which the cybercriminal begins the deception by means of an email in which he impersonates a manager to request an income or a strange movement. This, at first, could make the employee on duty suspicious if he sees that he does not do it from the corporate.
But what if it is the same manager who calls by phone and asks directly for the operation to be carried out? Those cases have occurred. All the offender needs is to know the correct employee’s name and phone number.
Even if the affected person requests that you make the request in writing, the criminal could throw balls out saying that he is going to do it from his personal email account because the company gives him problems.
“These actions usually contain a common denominator: a request for an action. It can be a transfer request, a request for some confidential information, or something else.
In short, we must be suspicious of any request that denotes a possible impact on the company’s activity, be it economic or reputational, ”explains José de la Cruz, technical director of the cybersecurity company Trend Micro in Spain and Portugal.
If you want to prevent attacks of this type from succeeding, the best a company can do, according to Eusebio Nieva, is to implement more rigorous order authentication protocols .
This happens, for example, because when a transaction of a large amount of money is requested, the person requesting it has to follow a specific procedure and provide some type of robust key that is only available to them.
And it is that not all the risks to which a company is subjected have to be directly related to computer viruses. Simple deception, in many cases, can be a more powerful weapon.
“To avoid these situations, attention must be paid to training, awareness and continuous evaluation. These 3 simple steps are the ones that will enable the user as one more barrier of protection against this type of attack. Additionally, it is advisable to implement detection technologies for them .
These technologies should be based on advanced methods such as machine learning that analyze the writing style of the message, identify certain requests and be able to discriminate legitimate from malicious emails, ”says the Trend Micro technical director.
Josu Franco’s recommendations move along precisely the same lines, that of awareness and foresight: «The safest thing is always that when the slightest indication that something is not normal is detected, we make a phone call or use another way to check. It’s like applying two-factor authentication to verify certain things.
Check is never too much. You have to distance yourself and be very critical of what you receive, especially when we are facing strange or anomalous situations. We must not let ourselves be carried away by the urgency to which we are being urged in the email message.
The Panda Security strategy and technology advisor also emphasizes that this type of cyberattack will not lose steam in 2021 : “It is a technique that is growing, let’s not forget that attackers are fishing in troubled waters .
The situation is very likely to evolve for the worse because the deceptions are becoming more sophisticated (there have already been attacks of this type based on voice, which further complicates their identification). We must never forget that one of the main motivations for cybercriminals when carrying out these actions is that they are very lucrative attacks, and they always seek financial gain. “