In this blog, the third in our Top Payment Cycle Attacks series, we want to spotlight attacks that utilize social engineering as the main approach. In these attacks, instead of silently hijacking the payment cycle to redirect the normal payment flow to a malicious destination, the attacker proactively targets an individual within the organization to perform an action to their benefit. The social engineering techniques are leveraged to exert pressure on this individual to trust this request and suspend the standard precautions that are usually in place.
Employees at any organization are easy prey to manipulation, especially when the transgressor is very convincing. In these cases, employees are willing to circumvent processes or rules they might not normally. Adversaries are masters of identifying and pulling the right levers to impel employees at a target organization to perform the actions they need to execute their ploys.
Panic, for example, is a strong motivator when manipulating people. Instilling fear in someone can prompt them to deviate from their normal behavior and perform tasks they might not otherwise. Fear and panic can cause a kneejerk reaction rather than a thoughtful response. In cases where someone believes that something important is at stake, like their job, this can cause them to act very differently than usual. The attack we’re about to describe illustrates this clearly enough.
Corporate organizations are driven by hierarchy. CEOs or CFOs are people , you want to be on good terms with. And if either of them reach out to you personally asking for a special task that either overrules or expedites standard procedures, you’ll probably go ahead and respond to the request. This paves the way to a whole wave of frauds in which adversaries attempt to impersonate senior management. With this assumed identity they reach out to members of the Finance teams that can approve payments or set up a new vendor in the ERP and ask for a transfer to be made. Their target, usually not people too senior on the team, are typically all too eager to comply with the request.
As such, the first step adversaries take is identifying and gaining access to the email or text messages of senior management members, requests from whom an employee would blindly follow.
The next step would be to identify who’s the employee that would respond best to the impersonated outreach. To qualify, the employee should have the ability to perform the required action. Also, ideally, the target employee doesn’t personally know the impersonated CEO/CFO. Outreach by a senior executive at the company to an employee would create a lot of urgency for the employee to follow the instructions. Furthermore, we’ve seen many times that the more distant the impersonated person is from the employee, the higher the probability that the scam would work.
Following the preparation comes the actual execution. One would be surprised how much energy is invested in picking the best time and place to send the social engineering message – apparently its effectiveness rises in direct proportion to levels of exhaustion or attentiveness. For example, it has been shown that people are often more inclined to trust when they are towards the end of day, or more stressed out and overloaded with work.
Social engineering pushes an individual to perform actions they wouldn’t do under normal circumstances. In this case, the attacker needs to ask himself how far he’ll go with his attack once he has successfully impersonated an influential person at the company. In one scenario, the bad actor uses social engineering as the final touch point in an attack that they had already prepared in advance by compromising the target’s tech infrastructure. For example, let’s say the attacker already compromised a user with access to the ERP system and created a fake bank account within it. In that case, the social engineering’s goal is luring an individual to release a payment to this new account. This attack is highly effective because it doesn’t involve any substantial deviation from the targeted employee’s behavior—it requires them to take one small action. But on the flipside, the attacker must invest greater effort into the preparation stage by compromising the other systems first, before launching the social engineering attack on the employee.
In another type of scenario, an attacker relies completely on social engineering from scratch to get what they want. They use cunning messaging that compels the employee to take actions they usually wouldn’t, be it circumventing standard protocols or expediting the payment process without the proper approvals or any number of other behaviors that deviate from the normal procedure for payment.
Sadly, generative AI tools, particularly deepfakes, are making social engineering schemes even more effective. A recent story that is particularly troubling is a finance worker who was manipulated into paying out $25 million after being on a video call with a deepfake of the CFO and other officers at his company. We will see more of this level of sophisticated social engineering in the future.
Compared to the attacks described in this series, social engineering is one of the most traditional. Indeed, abusing one’s trust to manipulate people into performing a certain action is certainly nothing new. And it continues to be highly effective. Either as a standalone scheme or combined with other tactics, social engineering is a core component in many attacks. It’s common to say that ‘humans are the weakest link in the security stack.’
And any solution protecting the business payment cycle will need to address this weak link. And that’s where Trustmi comes in.
Get in touch today and learn how Trustmi thwarts social engineering attacks, from the very first suspicious email or BEC incident all the way through to payments release.