One of the strongest defenses you can have against data breaches and network infiltration is a well-educated organization. Part of that education needs to be about how to verify the requests of coworkers and vendors, without complying with fraudsters and scams. In today’s post, we’ll review a few things that you can do to set your organization up for successful defense of your data by cultivating a positive attitude around verification.
Wire Transfer Phishing
One of the most popular social engineering scams is wire transfer fraud. It works just like other scams centered around impersonation, sometimes using a lookalike email address: it looks like someone’s email address at first glance, but may have a misspelled domain, like [somebody]@crowncomptupers.com. Someone contacts you from this address with an invoice to pay, and if you don’t catch it, you might just send funds to the attacker’s account.
A more advanced and targeted form of this happens when someone compromises actual email accounts in your organization. If someone else can send email from the account inside your organization, you may not even think twice about verifying a request to transfer funds. This kind of targeted attack has virtually no chance of being stopped by email scanning.
Breaking Bad Habits with Open Dialog
While email filtering can help catch some of the misspelled address attacks, many modern scams start with hijacked credentials. We’ve covered how these credentials might be obtained quite a few times over the past couple of years. Verifying that someone really is who they say they are—even if you work with them on a daily basis—becomes important when they ask you to do something like make a purchase that’s out of the ordinary, or ask you for sensitive information.
Start a dialog in your organization about how you communicate with one another. It may sound simple or too general, but in order to get everyone on the same page, everyone needs to understand what’s at stake when communicating via email, texts, phone calls, etc. Any bad communication can result in a lack of motivation in reaching out for verification. Feeling intimidated, rushed, or simply being forgetful—when it comes to verifying a request to divulge information or send a payment—can be far more costly than simply checking with the person making the request via another form of contact.
Diversify your Verification Channels
One way of thinking of this practice is to do multi-factor verification yourself, by using a phone call to verify an email request, an email to verify a text message, etc. Remember that some of these methods would be compromised at the same time, so making a phone call to verify a text message at the same number isn’t a great idea. Using internal communication channels—like a video call on Teams—can really help diversify your channels, because it isn’t as likely that someone has compromised both someone’s Microsoft 365 credentials and their phone number.
While open communication and extra verification is the current best practice, it’s worth noting that really intense attacks will be employing deepfake/AI technologies in the coming years. In the near future, a faked voice on the phone or even a faked video call will be easily engineered for high-level scams. It’s likely that these attacks will invite people to verify large transactions in person… if you’re in the same building as someone who’s asking to transfer funds, going to say “hi” could really streamline how you authenticate requests.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team