Social engineering on the rise, cyber experts warn
Cyber criminals increasingly use “social engineering” – manipulating people into giving up confidential information – to target businesses, according to the Australian Cyber Security Centre.
Last financial year reports to the Australian Cybercrime Online Reporting Network showed a 230% rise in losses, totalling more than $20 million, due to business email compromise.
The centre says this probably represents only a small percentage of total activity, due to misreporting and underreporting.
Business email compromise mostly involves someone impersonating a senior employee, to change invoice details or generate a sense of urgency to bypass anti-fraud processes.
In one case in the US, a cyber criminal posed as both the CEO and COO of a large corporation and obtained fraudulent payments of more than $US500,000 ($638,350).
The criminal sent an email requesting a large payment from the financial controller, and a second containing a false email trail approving the request.
Australian small businesses are also being targeted by themed phishing emails from known contractors whose systems have been compromised by cyber criminals. The criminals gain access through malicious PDF files or “credential phishing”.
“Social engineering is becoming more sophisticated and is likely to be increasingly used by adversaries to disguise their illicit activities as genuine,” the centre says.
“As cyber adversaries refine their social engineering tradecraft, legitimate communications are sometimes becoming almost indistinguishable from social engineering attempts.”
Robust technical controls are increasingly important to protect against such attacks.