Criminals are becoming increasingly sophisticated in their approach to online scams, with âsocial engineeringâ a common tool used by fraudsters.Â
Helping staff to understand how social engineering works is one of the most important frontline defences against cybercrime.
Social engineering is a tool hackers use to trick people into doing something they wouldnât normally do or divulge information they shouldnât. One of the most common ways criminals use social engineering is to send out emails that appear as though they are from major banks or tax authorities, requesting information such as personal details or bank account information. The hackers then use this information to compromise usersâ banks accounts or sell on the dark web.
âSocial engineering is a tool hackers use to trick people into doing something they wouldnât normally do or divulge information they shouldnâtâ
Itâs also often used in targeted spearphising attacks. The Australia Cyber Security Centreâs most recent Annual Cyber Threat Report explains that unlike generic phishing campaigns, spearphishing is designed to target specific people.
âAdversaries use tactics such as social engineering to research, identify and target high-value individuals within particular organisations. This can include using information found via professional and personal social media networks, and publicly available industry information such as annual reports, shareholder updates and media releases. The more refined and genuine a spearphishing email appears, the more likely users are to be deceived into opening malicious links and attached files,â the report explains.
As a result, itâs become more difficult to tell if an email or other message is from a real business, says Emergence Insurance CEO and founder Troy Filipcevic.
âCriminals have become much better at tricking people into doing something that, nine times out of 10, they wouldnât usually do. You might receive an email from the Australian Federal Police or the tax office that, at a glance, appears legitimate. Itâs not until you take a closer look that you start to see itâs not legitimate.â
Emerging threats
Fraudsters use a variety of media to distribute socially-engineered scams. A current scam involves a recorded voicemail message from the ATO that threatens jail if the recipient doesnât contact them. COVID-themed scams are also popular.
Invoice fraud is a perennial problem. This is a form of social engineering that involves a hacker compromising a businessâ IT system, falsifying a supplierâs invoice by changing the bank account details on it and sending it back to the business with a request to pay. Itâs not until weeks later when the supplier chases up the invoice that the business finds out the bill is unpaid.
There are steps businesses can take, such as regular education sessions, to help staff identify fake emails or other messages. Also put processes in place around changes to supplier bank details so more than one person in the business ratifies the change.
âPick up the phone, ring the business and say, âIâve got an email from you asking to change banking details. I just want to confirm these new bank account detailsâ,â recommends Filipcevic.
Itâs an idea to regularly check the Australian and Competition Consumer Commissionâs (ACCCâs) Scamwatch site and register for alerts. Cyber insurance plays a role, and can cover businesses for a range of cyber risks. But cyber insurance is just one of a range of mitigation steps all businesses must take to reduce the chance of cybercrime impacting operations.
Talk to your Steadfast broker today about the best way to manage cyber risks now and into the future, through insurance and other risk management steps.
Important notice â Steadfast Group Limited ABN 98 073 659 677 and Steadfast Network Brokers
This article provides information rather than financial product or other advice. The content of this article, including any information contained in it, has been prepared without taking into account your objectives, financial situation or needs. You should consider the appropriateness of the information, taking these matters into account, before you act on any information. In particular, you should review the product disclosure statement for any product that the information relates to it before acquiring the product.
Information is current as at the date the article is written as specified within it but is subject to change. Steadfast Group Ltd and Steadfast Network Brokers make no representation as to the accuracy or completeness of the information. Various third parties have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of Steadfast Group Limited.