By Kris Tanaka
SecureWorld Media
Do your users know what their SAT scores are?
No, not their Scholastic Aptitude (or Assessment) Test scores, which are used for college admissions. Do they know what their Security Awareness Training (SAT) scores are? Have they even gone through formal security awareness training? Suprisingly, according to Michael Osterman, principal at Osterman Research, Inc., more than one third of employees have not been exposed to any type of security awareness training program.
During SecureWorld's web conference, "Alert: Social Engineering and CEO Fraud Attacks," held on March 10, Osterman stressed that SAT scores are becoming extremely critical for organizations since cyberattacks utilizing various social engineering techniques, such as phishing, are now a huge problem. "And it's only getting worse," he said.
Cybercriminals are turning to increasingly advanced attacks called "Business Email Compromise" scams. They have become so widespread that the FBI recently issued an advisory.
BEC scams involve the spoofing or hijacking of a C-level executive's email account. An email, supposedly from the executive, is then sent to a specially targeted employee requesting the transfer of sensitive information. And since the end user is often the weakest link in the security chain, causing 91% of all data breaches, these scams are incredibly effective.
"The numbers are quite alarming," said Randy Luskey, partner at Orrick, Herrington and Sutcliffe, LLP. "The FBI estimates losses of $1.2 billion worldwide as a result of the BEC scam in less than two years, with over 7,000 U.S. victims alone."
In addition, Luskey said the FBI reported that less than 4% of the victims have successfully recovered those stolen funds.
"This is a scam that survives and succeeds because of this type of psychological phenomenon," said Luskey. "There's something about receiving a direct email from your CEO asking you, personally and directly, to work on a confidential project that no else can know about. Something that makes you feel very special."
It causes the recipient to overlook obvious red flags, as well as to forget what they have been trained to look out for, he said.
The statistics are sobering, but it's truly tragic when you go inside the companies and listen to the employees who were duped and hear their stories.
"I've seen the devastation that the scam has left in its wake," Luskey said. "It really is a life-changing event for these companies."
For those who feel that antivirus solutions can help combat social engineering attacks, you might want to think again.
What most people don't know is that an antivirus program usually updates its defintions about every six hours," said Stu Sjouwerman, founder and CEO of KnowBe4, LLC. Another number to keep in mind is that phishing sites are active for about six hours, he said. After that time, they are taken down by the bad guys, only to be quickly replaced by a new campaign.
"Those two windows of six hours are not a coincidence," he said. The criminals know very well that an AV will kick in during that time. Unfortunately, they will already be on to the next thing.
To hear actual case studies involving BEC scams and best practice strategies that can be implemented in your organization, click here to view the on-demand recording of "Alert: Social Engineering and CEO Fraud Attacks" at your convenience.
You can also quickly find out if cybercriminals can launch a CEO fraud spear phishing attack on your organziation by taking a free domain spoof test from KnowBe4. The test involves a spoofed email that will be sent "from you to you." If it makes it through to your inbox, you know you have a problem.