6 steps to thwart email social engineering attacks

Data security breaches involve much more than technical skills and brute force hacking. Today’s data thieves use social engineering tactics to collect sensitive information straight from a bank or other organization’s personnel.

Sometimes, they accomplish this through deceptive phone calls to customer service, impersonating an authorized account holder, and directly requesting sensitive information. In another increasingly common strategy, hackers initiate a conversation between your organization and a business partner through emails cleverly disguised to look like your own—then turn that conversation into major expenditures.

In today’s data and network security landscape, then, protecting your bank and your customers requires much more than up-to-date technical resources. It requires training and vigilance on the part of your entire team to effectively combat social engineering tactics. By recognizing some of the most common social engineering tactics that hackers employ, banks can apply network security best practices to defend themselves as effectively as possible.

Let’s take a look at how these best practices can thwart two of the most widespread social engineering attacks.

Train your team

The front-line of defense is awareness and clear training for your entire staff.

When it comes to would-be thieves extracting information through customer-facing staff, your team first needs to be aware of the threat. Ensure that the strategy is explained to your entire team—particularly tellers and customer service representatives who interact with customers on the phone.

Next, ensure that you have strict and secure procedures in place to verify the identities of customers requesting access or changes to sensitive information. These procedures should be easy to understand and reference, and your staff should understand that the procedures are to be followed without exception.

This may sound simple, but the widespread success of social engineering tactics is a testament to the difficulty of reinforcing this straightforward point. “No exceptions” must truly mean “no exceptions.”

In addition to recognizing and avoiding social engineering scams, personnel should be trained to help detect signs of network intrusion.

Common red flags for a breach such as slow network connections and mysteriously non-functional passwords may seem relatively innocuous to a layperson. However, they can offer a security specialist important clues about attempted or ongoing breaches.

For this reason, make it policy for all staff to report these and other anomalous network behaviors to your IT security department. It is essential for your entire team to be informed and active participants in your security strategy.

Man-in-the-email

Another important strategy to defend against is “Man-in-the-Email” attacks, which can take several different forms.

In one approach, attackers create an email that closely resembles typical communications between two executives. This false email is then forwarded to an employee responsible for making monetary transfers. The email seems to authorize a transfer to a particular bank account. Often, the conversation is back-dated to create a sense of urgency in the mind of individual being scammed.

In another version, the attackers identify two targets currently conducting business communications with one another. Then they find a way to insinuate themselves into regular communications through a similar, camouflaged email address.

If they manage to disguise themselves successfully with an innocuous, typical-looking email to Entity A, then they can send A’s response to B, and B’s response back to A, along the way making any edits necessary to make the whole conversation seem natural to both participants.

At this point, the people on both sides of the email chain will tend to simply hit “Reply” on every email, not paying much attention to the address. Eventually, when Entity A places an order, the scammer can pose as Entity B and tell them to use a new, fraudulent account.

How do the fraudsters manage this trick?

Sometimes they manage to acquire email domains that closely resemble your own: you@ yourname.co, for example, rather than you@ yourname.com. They might also swap two letters in the domain: you@ younrame.com. Furthermore, it’s sometimes possible to replace a character in the domain name with another, similar character: you@ y0urname.com. When email clients use san-serif fonts like Arial, where the lowercase L is often the same as a lowercase i or the number 1, this last approach can be more persuasive than you might expect.

Email best practices

Fortunately, with care and thoughtful best practices, email scams of this sort can be effectively thwarted. Ensure that your staff take each of the following steps:

1. Be wary of major changes. If a contact or business partner informs you that they are now using a new bank account or even email address, validate this claim through another mode of communication. This leads directly to the next step…

2. Use second-factor authentication. This means you should utilize a minimum of two forms of communication with business partners. You should never authorize major transactions based purely on email.

3. Forward instead of replying. To be as careful as possible, type out your business contacts’ emails and forward your responses rather than using the reply function. While it may add an extra step to email communications, this will quickly reveal any attempted “man-in-the-email” attacks.

4. Delete your spam. When you recognize a spam email, delete it immediately. Don’t open it, download attachments, click on links, or reply. If you’ve made one of the above mistakes, alert your IT team.

5. Don’t use free webmail. This should go without saying, but don’t use free webmail platforms like Gmail or Yahoo for business communications. The “man-in-the-email” attack is much easier for scammers when they don’t have to spoof the domain of the email, but can focus on the username. Limit business communications to your unique domain.

6. Do use digital signatures. Encrypted digital signatures provide the maximum possible security, when used by both you and your business contacts. But this functionality may not be available if you use a webmail platform or live in a country where such signatures are not permitted.

Ultimately, protecting your bank, your customers, and your business partners means that you must understand the social engineering threats that you face, keeping up-to-date with new tactics as they arise and evolve and training your personnel accordingly. If you train and prepare your people effectively, your organization will be ready to conduct business with confidence. 

About the author

Jason Riddle is practice leader at LBMC Managed Security Services where he helps defend his clients’ networks. He has over 15 years of experience working both as a consultant, advising commercial and government clients, and as a corporate information security officer for a financial services organization. His core areas of expertise are technology infrastructure, security & compliance, electronic payments, and developing processes to defend networks and systems against today’s advanced threats.