We’ve all heard stories about individuals losing money to threat actors pretending to be someone they’re not in an email. For example, Evaldas Rimasauskas who recently stole more than $120 million by pretending to be someone else. The surprising thing about Evaldas’ pay off? He got all that money from just two targets — Facebook and Google.
Rather than calling up consumers and pretending to be a credit card fraud detection specialist or IRS auditor and netting maybe thousands of dollars, he went straight for the big bucks.
How could he infiltrate these Tech Titans’ Accounts Payable process? Social Engineering. Rimasauskas convincingly impersonated a Taiwan-based manufacturer that actually does supply Facebook and Google. Using fraudulent invoices and various accounts, he got the tech giants to pay him tens of millions of dollars over a few years.
This example displays one of the more audacious examples of Social Engineering, but it’s illustrative — and it’s becoming increasingly relevant.
New stats: The threat actors concentrate harder on businesses
Social Engineering, including a threat actor who impersonates someone to trick a target into providing money or data, is one of the most difficult attack vectors to control because it relies heavily on a person’s subjective judgment. In the case of a business, bad actors have many potential social engineering pathways to the same goal and bigger bucks.
At the consumer level, data compromises in the first half of 2022 were down slightly from last year’s record high, with a fewer reported number of victims, according to the Identity Theft Resource Center. The attacks shifted to larger targets: businesses, government agencies, and institutions, the center said.
The prevalence of remote work can make business attacks even easier, allowing cybercriminals to get access to emails, use executive’s Zoom accounts to pose as them, or just use a screenshot to get sensitive information that someone left out on his desk during a video call.
Fighting the many forms of Social Engineering
Social Engineering often is an underlying component of other types of fraud. With our earlier example, the threat actors did plenty of research ahead of time and were very familiar with the appropriate people, processes and contact information.
Phishing and business email compromise rank among the most popular tools, but various other methods also can support these scams. There are several ways to help protect your business:
- Get a social engineering assessment. Employees almost always are the weakest link in an organization’s cybersecurity. Regular testing and training integrates security as part of the corporate culture.
- Two-factor authentication — using an independent method to verify an identity — often can put an early stop to fraud. For example, if a Facebook employee had independently called the vendor, it would have become apparent that the invoices and representatives were fraudulent. Similarly, two-factor authentication, such as requiring a code that is texted to a previously saved phone number in order to sign in, can protect email accounts.
- Always be on guard against unsolicited requests for login or other personal information.
- Make sure URLs and domain names appear correct and consistent.
- Spelling and grammar errors should put you on guard, as should emails sent at odd times, like in the middle of the night.
Fortunately for Facebook and Google, the FBI was able to help the companies recover most of the stolen money. Rimasauskas was sentenced in December 2019 to five years in a U.S. prison, as well as forfeiture of $49.74 million and restitution of $26.48 million.
But time, headaches and intangibles can’t be repaid. With cybercrime remaining so prevalent and costly, prevention is worth some time and money. Digital Silence strives to be the down-to-earth, sophisticated partner you want on your team, and we have a unique breadth of industry experience that lets us align our work with your specific business priorities. Let us help protect you.