How to protect your company from Friday afternoon hacks
| Sieuwert van Otterloo |
Security
Some of the most daring and lucrative cyber attacks are the so-called friday-afternoon scams. As the name suggests, they are often planned just before the weekend when people are most distracted and are based on social manipulation rather than technology.
What is a Friday Afternoon Hack/Scam?
The friday afternoon scam is a low-tech hacking attack where attackers use social skills to trick people. The attacker calls or mails the potential victim, informs him that there is a cyber attack or another technical glitch, and asks the person for security details to make things in order again. The attack works best in very secure environments with lots of technical security measures in place: for instance in the financial or legal sector. In these environments, people are not surprised that security offers call them immediately, and they also feel the pain of having to do something urgently but not have the right security codes at hand. Technically speaking, the friday security scam itself is not a cyber attack because it is executed over the phone. However, the scam can be part of a larger cyber attack and is often aimed at companies with lots of cyber security in place. The scam is a simple but daring way to get in through the front door at one part of the organisation, after which they can prepare more sophisticated cyber attacks.
Attacks in the media
Probably the most successful friday afternoon scam took place in December 2013, when a British hedge fund lost almost 750.000 pounds on one unlucky friday afternoon. The CFO of the company was just about to go home or to the pub, when he received a call from Coutts, a bank that regularly executes transactions for the hedge fund. Apparently there was some fraudulent activity and Coutts needed some security codes to cancel 15 suspicious payments. The CFO was reluctant but eventually used his smart card to generate the codes, and went home for the weekend. When he returned to work on monday, 742,668 pounds was missing. More details on the attack and aftermath (the CFO was fired sued by his employer) are in the Bloomberg report.
Smaller but similar scams are regularly attempted, often aimed at solicitors who are transferring money for property transactions. They call or email attorney to give them updated bank details and hope that the money is transferred to them. The risk is largest when email accounts are hacked: the attackers know all the details from transactions from previous emails, and just have to change the account number.
Attack prevention
The existence of the friday afternoon scam shows that cyber security has a strong human factor. Good security relies on a combination of technical and organsiational measures. To illustrate this principle, we made a chart based on ITRC data for data breaches in 2014. Even though hacking is the most common cause of data breaches, social factors are also high: employee negligence and physical theft. Unfortunately, no separate statistics are available for social manipulation. The reason is that friday afternoon scams are often only the starting point of the complete attack.
To prevent the scam, organisation must make that staff aware of the risks. We recommend the following measures as part of the overal cyber security plan:
- Give smarter, better security training. Do not train people to blindly follow orders. Teach them the why and how of cyber attacks, so that they are aware of the risk of scamming.
- Make sure the people in your organisation know each other well. These scams only work when people are not surprise to get calls from unknown colleagues.
- Design financial processes in such a way that multiple people are needed to set up or change transactions, and that there is a cool-off period between setting up and executing transactions.
- Evaluate security measures for usability. The scam is easier in companies with many cumbersome security measures. In these organisations, people feel the pain of not having access and will be more willing to share security details with colleagues.
With ICT Institute we try to help companies give these smarter, better security trainings. To do so we include a bit more technical background, so that people are aware what attacks exist and how social engineering is being used by hackers in combination of technology. As one unlucky CFO can attest, these trainings are vital for top management.
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.