Modernizing Authentication — What It Takes to Transform Secure Access
Phone scams are becoming increasingly complex, from advanced social engineering attacks to enhanced versions of the Dell and Microsoft phone scams that leverage sensitive information to convince victims that they are legitimate.
"Cybercriminals often use the name of well-known companies, like Microsoft, to convince people their services are legitimate," a Microsoft spokesperson told eSecurity Planet by email. "Our guidance for customers is to never provide your personal information to unsolicited callers and/or emailers."
But with the rise of cybercrime as a service, Aite Group senior analyst Ben Knieff said it's increasingly simple for attackers to spoof telephone numbers and launch targeted social engineering attacks that can fool even cautious users.
"There's a Russian site where they literally advertise that they have people who can speak in six different languages, sound native and are available 24/7," Knieff said. "The criminal economy has become more and more specialized in terms of the fact that you don't need to do all the work; you can just pay somebody to help you."
In some cases, like one detailed in an earlier eSecurity Planet article, scammers even knew sensitive information such as service tag numbers and express service codes for Dell computers. The scammers also tried to infect the user's system.
"This scam would get the vast majority of people because of the level of sophistication and personal information they revealed in order to win trust. Not to mention, they had a second person that was ready to act like a manager to try and move the scam along. I believe most of my colleagues and friends, not in the security space, would have fallen for these tactics," wrote Rod Simmons, a product group manager for security vendor Beyondtrust and author of the article.
Crucially, Knieff said, phone scams are now launched against companies of all sizes and types, from large banks to small companies with 20 or 30 employees.
"Sometimes the smaller ones are actually easier targets, because maybe they don't have as much IT training or maybe they've got a part-time contractor who manages their security. So it's easy for a bad guy to call into accounts payable and work their way through, he said.
These scams aren't just about getting a single fraudulent invoice paid. "In many of these cases, the social engineering component can get malware onto the machine," Knieff warned. "And once the malware is on the machine, the criminals can, for lack of a better word, control everything on the computer, which can lead them into other parts of the network so that they can exfiltrate data."
So what can enterprise IT security teams do to foil phone scams?
Make Security Training Relevant and Continuous
The most obvious way to protect against phone scams is to implement effective security training for users, but doing so can be a challenge. "It does become kind of, 'Damned if you do, damned if you don't,' because a lot of companies have so many different trainings that they run - compliance training and sexual harassment training and technology training and all sorts of things," Knieff said.
As a result, it's crucial to provide training in easily digestible chunks so that users don't feel overwhelmed and start ignoring the information.
"Instead of another annual training that's going to take two hours to go through, it's better to, say, have a once-a-month newsletter that includes a bit of training and maybe some recent scam reports," Knieff said.
That way, users get a regular reminder of the threats that are out there, what the warning signs are, and what can happen if those warning signs are ignored. That shouldn't require a significant investment, Knieff said. "Any IT guy should be able to find, with a quick Google search, some new examples every month."
It may be helpful to provide employees with five rules for handling a scam call, suggested by Beyondtrust's Simmons in his eSecurity Planet article.
Daniel Kennedy, research director for information security at 451 Research, said any training should focus on making sure users are conscious of the specific techniques that attackers are likely to use. "Then they can be aware of it and hear it when it's being presented to them, and know that they're in a situation where someone might be trying to scam them," he said.
Setting the right tone for the training is also key.
"I worked for a firm where the CEO showed up for the annual security awareness training with everybody else," Kennedy said. "That was a clear message to everyone in the room that this was important - the fact that he was sitting in the middle of the room and listening to everything."
Implement Security Processes and Procedures - and Back Them up
Putting the right processes and procedures in place to verify people is also key. A private client services group at a bank he worked with years ago had a ridiculously flawed verification process, Kennedy recalled. "Their verification, because they dealt with a certain kind of client, was to say, 'Is this your Social Security number? Is this your birthday?' and your answers had to be 'yes' and 'yes,'" he said.
Unfortunately, Kennedy added, even a solid verification process can easily go out the window in the face of classic social engineering methods.
"One is an appeal to authority," he said. "They say, 'This is Richard Jones.' You know Richard Jones right away - he's the CEO of your company - and you immediately want to help. You immediately become nervous. 'Why is this guy calling here directly? I'm going to do anything to get him whatever he's asking for.'"
That's where good training kicks in. "You have to make sure people know, from a security awareness standpoint, that these are the verification procedures we've agreed upon as a company, and they must be used for everyone, no matter who they say they are, no matter how angry they get," Kennedy said.
Employees jump when a CEO says "jump" because they understandably fear being punished for denying requests from their superiors, Kennedy said.
"If you're going to have a process, make sure everyone's on board with it, make sure everyone's trained with it, and make sure there aren't going to be any repercussions for not following the process," he said. "You have to be true to it."
The "four eyes principle" can also provide a basic backstop to ensure funds are not released inappropriately, Knieff said. "If somebody enters a payment, somebody else needs to approve it. That's one of the simplest possible approaches that can have a huge impact."
The 2009 theft of $588,000 from Patco Construction, Knieff said, is a good example of a case where a second pair of eyes could have stopped the breach.
Leverage Tech such as Advanced Data Loss Prevention
Technological solutions can also make a significant difference. Knieff suggests looking into voice biometrics solutions from companies like Verint, Pindrop Security and NICE Systems, which can watch out for recognized criminals. While products like that are rarely deployed beyond large call centers, he said, they are worth considering for other businesses.
"Most companies, at least the somewhat larger ones, have an internal VoIP system," he said. "So there are more than likely some touch points where something like that could easily be implemented."
Advanced data loss prevention solutions are also worth looking at, Knieff said.
"Some newer technologies have come out that look very closely at what employees are actually doing on their machines - what applications they're opening, what kinds of files they're sending - that can provide anomaly detection in the activity itself," he said. "And that's not specific to phone calls; it's everything that you're doing on the network."
Unfortunately, Knieff said, more straightforward security approaches like two-factor authentication aren't particularly effective in response to social engineering. "Once you get in the door, and once you get that person on the hook, so to speak, no amount of two-factor authentication is going to help because it is the genuine user," he said.
Encryption can be similarly ineffective, Kennedy noted. "The unfortunate problem with encryption is that the IT help desk person who's being victimized for information should have access to that information to help a legitimate user," he said. "So the encryption piece falls down, because even if the data is encrypted that person has access to it, and should."
Finally, Knieff pointed out that smaller companies that may not be in a position to afford more advanced technological solutions might want to consider using a managed security service provider.
"Outsourcing certain aspects of security to people who are experts could be one strategy that a smaller organization could incorporate into their thinking," he said.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.