Data or system breaches are potentially the number one risk for many businesses. The threat is just as real for small business owners as it is for enterprise leaders – whether it be from theft, disruption or damage, malicious or accidental. Some threats are easier to manage than others – but there is one source of potential malice that is notoriously difficult to stay ahead of: Social Engineering, otherwise known as CEO Fraud.
The cybercrime networks are getting more advanced and sophisticated by the day and one of the ways they may attack your business is by targeting the most senior people in organisations. By using social media to thoroughly research an organisation, often with automated bots and crawlers, criminals can find out company directors, suppliers and other information and then use these insights to successfully fool unsuspecting (smart!) people. Some of the possible outcomes? Virus infection, lost or frozen data or lost money.
As the owner of your business, it’s vital that you stay informed, this is the first step in retaining control.
Social engineering: a big threat to your small business
Social engineering is an ever-evolving concept. And while it’s tempting to think, ‘That would never happen to me’, the truth is it can. No business is immune. We dealt with an established professional services firm whose finance department transferred funds to a hacker, thanks to a well-crafted email that correctly referenced a particular project, staff and customer details. Scary stuff.
As step one in keeping you informed, here is a brief overview of the terminology you may have seen referenced – sometimes interchangeably. While there are some differences, the terms are all related, and all refer to scams that try to access data and steal information or money.
Criminals send a large number of fraudulent emails out in the hope that a small percentage of business owners or individuals will click on a link or provide sought-after information.
- Whaling or CEO FraudThis is a targeted attack on a high-profile user (such as a C-level executive). A simple, well-crafted email is sent to a specific person who has the authority to transfer money. The social engineering efforts are usually quite advanced and the email is likely to look highly legitimate. As the email appears to come from someone of influence, such as a CEO or CFO – or may even be sent from their actual email address – this provides a possible ‘in’ for the attacker.
Here are the facts you can’t ignore
- CEO data fraud is big business. FBI data reveals that CEO fraud has shot up by 2,370% since January 2015, with reported exposed losses of over USD$5.3 billion globally.
- CEO data fraud is more common than you may think. In fact, it’s the most prevalent type of attack after ransomware. Socially engineered attacks are favoured by perpetrators because the risk-to-reward ratio is huge. The most common victims? Those with financial authority.
- You can’t afford CEO data fraud. FBI data reports that the average financial loss to individuals is USD$6,000 and an organisation, USD$130,000. These are some big numbers.
It can happen to anyone. Some real-life examples.
Before you think ‘I or my team wouldn’t fall for that’, think again. No business is immune to fraudulent attacks. Even technology giants Google and Facebook fell victim to social engineering.
Facebook and Google were hacked by a perpetrator impersonating a large Asian-based computer manufacturer – a regular supplier to both companies. Using social engineering, the hacker generated fake email addresses, invoices and corporate stamps. The result? Over a two-year period, USD$100 million was siphoned to various Eastern European bank accounts.
In one of the largest data breaches ever seen, Equifax admitted that hackers stole personal information from up to 143 million US consumers. Following the public announcement in September 2017, company shares plummeted and several C-level executives exited and were later investigated by the Federal Trade Commission.
Closer to home, we worked with a law firm that was compromised when a well-crafted email reached the finance department. By referencing the right customer and project details, the finance team were fooled into transferring funds to another account. It can and does happen.
Act now. Get informed and take the first steps.
The good news is that when it comes to IT security, small steps can make a real difference. And we can help. Our simple, actionable checklist highlights the top security-related priorities for a business running on Office 365 and is a valuable first step in helping you take control. Download the checklist here or get in touch today.