“All warfare is based on deception… when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” ― Sun Tzu, The Art of War
“What a tangled web we weave, when first we practice to deceive.” ― Sir Walter Scott
This past April, hackers gained access to the sensitive data of at least eight Magellan Health affiliates and some of their clients, impacting nearly 365,000 patients and employees. How did they pull it off? Social engineering.
The phishing scheme (which later deployed ransomware) worked because it actually impersonated a Magellan Health client. Sensitive data was breached from Magellan servers because someone was deceived into thinking they were just doing normal business.
How Social Engineering Works
Deception has always been with us; it’s as old as Eden. Today, social engineering has become so effective for hackers that a recent Verizon Report lists it as the cause of 91% of all data breaches.
“Social engineering bypasses all technologies, including firewalls,” says infamous former hacker Kevin Mitnick. “What I found personally to be true is that it’s easier to manipulate people rather than technology.”
And because it works on the human element – the average employee who opens the door and lets the intruder in – it matters less if the system is Windows or Mac, or if a flaw is being exploited.
What gives social engineering such power? At its core, social engineering works through psychological manipulation, exploiting its victims through deception. Urgency and/or fear are the primary tools, rather than technology.
It might be a “scareware popup” banner that tells you your computer is infected, and to “click here for help.” It may even exploit a pandemic, as we saw this past year with helpful-looking Covid-19 websites, emails, and telemarketing calls that were fraudulent. Yet once the bait is taken, social engineering allows hackers to infiltrate systems, download malicious files, and access sensitive data.
The Business Email Compromise
One social engineering technique that is especially effective at using urgency is the Business Email Compromise (BEC). For Kari Hornfeldt, a Chicago marketing professional, this came in the form of an “urgent email from the boss” requesting that she purchase $1,000 worth of Google Play gift cards to give as gifts to company clients.
“In hindsight, I should have been like, ‘This is weird,’ but your boss asks you to do something and you do it,” Kari said. When the company credit card didn’t process, Kari purchased the cards using her own debit card, trusting that the company would reimburse her. It turns out, the company knew nothing about it.
“I basically used up all of the money in my checking account to buy these cards,” she said. It was only when she was instructed in a follow-up email to buy more cards – which she attempted to do at a local Best Buy – that an employee at the store questioned the purchase and warned her about the scam.
Currently, the king of social engineering is phishing. As noted, it’s the cause of over 90% of data breaches, and 67% of ransomware attacks are successful due to phishing schemes that first urged their recipients to click on links.
Phishing is currently thriving because it works on slick, realistic emails to deceive. An email may appear to be from a typical client or well-known institution (your bank, or a popular department store), yet because it is so well crafted, we “pay no attention to the man behind the curtain.” In fact, we don’t even question if there’s a curtain at all. If “the devil’s finest trick is to persuade you that he doesn’t exist,” as Baudelaire posited, then surely that is social engineering’s power.
If “the devil’s finest trick is to persuade you that he doesn’t exist,” as Baudelaire posited, then surely that is social engineering’s power.
When links in the email are clicked, the hacker gains a foothold into the system, stealing the user’s credentials to access company secrets or data, and/or to deposit malware.
What to Look For
According to Infosec, phishing attacks present the following common characteristics:
- Messages are designed to attract the user’s attention, to stimulate his curiosity by providing a few pieces of information on a specific topic. The victim is then led to visit a specific website to learn more.
- Phishing email messages often have a deceptive subject line to deceive the recipient into believing that the email has come from a trusted source. Attackers use a forged sender’s address or the spoofed identity of the organization. They usually copy content such as texts, logos, images and styles used on the legitimate website to make it look genuine.
- Phishing messages aimed at gathering a user’s information convey a sense of urgency. This is an attempt to trick the victim into disclosing sensitive data in order to resolve a situation that could get worse without the victim’s interaction.
- Attackers leverage shortened URLs or embedded links to redirect victims to a malicious domain that could host exploit codes or that could be a clone of legitimate websites with URLs that appear legitimate. In many cases, the actual link and the visual link in the email are different; for example, the hyperlink in the email does not point to the same location as the apparent hyperlink displayed to the users.
What You Can Do
Even if your company has never been victimized by social engineering, it’s important to take action. Recognize that everyone on your staff is a potential target, and your security is only as strong as your weakest link. Management should meet to strategize possible preventative measures, including staff training and ways to mitigate security breaches and protect valuable company information.
An experienced Managed Security Service Provider can also help oversee network access, with advanced security tools like protected passwords and two-factor authentication. Contact local law enforcement or a professional consultant if needed.
Raising the level of cyber-awareness on social engineering may help prevent a costly data breach, theft of your sensitive company secrets, and all manner of havoc that a hacker might decide to pursue. Here’s an excellent, low-cost training program you can use to equip all levels of your staff.
HIPAA Vault can help prepare you in the face of increasing social engineering attacks directed at healthcare. Talk to us today! 760-290-3460 or chat with us at www.hipaavault.com.
HIPAA Vault is the leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA compliant cloud solutions, including secure email, HIPAA compliant WordPress, secure file sharing, and more.