Real world ready | Next Gen accounting
All you need to know about social engineering
Accountants are prime targets for sophisticated cyber attacks, so it’s vital to be able to spot the types of scams and tactics involved
Words Jessica Bown
Criminals use social engineering to trick people into divulging information they can use to steal money or confidential data. As guardians of a wealth of sensitive financial information, accountants are prime targets for cons of this kind.
What is social engineering?
Social engineering involves using psychological manipulation to dupe people and businesses into making security mistakes or giving away sensitive information.
Far from a hit-and-run style con, it’s a complex form of fraud that requires the perpetrator to undertake several steps, the first of which is a thorough investigation of the intended victim. This could involve looking them up online, befriending them on social media or visiting an office under false pretences.
Once the fraudster behind the scheme has built a picture or understanding of the company or individual they plan to target, they move on to taking measures designed to gain trust to find out what they want to know.
Attacks of this kind are becoming increasingly prevalent in recent years – and accountancy firms and SMEs are popular targets because cyber criminals perceive them as having weaker security systems than larger organisations.
Did you know?
Around 400 UK-based accountants report data breaches linked to cyber attacks each year, according to the Information Commissioner’s Office (ICO). That is just the attacks that result in an identified risk to personal data, so the actual number is likely to be much higher.
CYBER RISK
Six types of attacks
1
Pretexting
Creating and using an invented scenario to engage with someone in the hope of convincing them to divulge information or perform actions that would be unlikely in ordinary circumstances. The criminal carrying out an attack of this kind might, for example, use details such as date of birth and address to impersonate an account holder or customer.
2
Water-holing
A targeted social engineering strategy that takes advantage of the trust we build up in regularly visited websites. While most of us now know to be wary of clicking on a link in an unsolicited email, we might not hesitate to follow a link on a favourite website (or watering hole). Hiding malicious links on popular websites can therefore prove an effective way for fraudsters to gain access to secure systems.
3
Quid pro quo
An attack targeting people’s attraction to free services, such as IT support, by offering them but claiming the need for login credentials and passwords to do the work.
4
Scareware
Bombarding a person or business with fake threats and alerts, making them think that the system is infected with malware and convincing them to install malicious software or pay a ransom to stop the threats or a supposed data leak.
5
Tailgating
This can be as simple as walking closely behind someone with access to a restricted area and asking them to hold the door.
6
Spear phishing
A more targeted version of a phishing scam whereby specific individuals or businesses are sent tailored messages designed to appear legitimate (rather than ‘spam’ alerts that are sent out to hundreds of recipients).
How to protect against breaches
Accounting firms are a potentially lucrative target for cyber criminals because they hold data, such as bank account details and National Insurance numbers, that can be used for identity theft and other types of financial fraud.
Protective measures are not just about preventing embarrassing and sometimes very costly data breaches or thefts. Failing to comply with data protection regulations such as GDPR can also result in significant fines from the ICO.
So, it’s vital to take steps to avoid your business becoming the victim of a social engineering attack. Ways to do this include:
- Offering employee training, including educating staff to recognise phishing emails, be suspicious of unsolicited messages and use strong passwords.
- Encrypting sensitive data, which ensures that even if cyber criminals do gain access to your systems, they cannot easily decipher the information.
- Using multi-factor authentication, which adds an extra layer of security by requiring users to provide two or more verification methods to gain access to systems or data.
- Performing regular software updates, which are essential to prevent cyber criminals exploiting loopholes and vulnerabilities.
- Having off-site data back-ups, which allow companies to restore their data with minimal disruption in the event of a cyber attack.
- Taking out cyber security insurance, including cover for legal fees and loss of business.
EXAMPLE
Clinton team caught out
Perhaps the most well-known social engineering attack took place in 2016 during the US presidential election, when members of Hillary Clinton’s campaign team were taken in by phishing emails disguised as Google alerts.
The hackers behind the scam – thought to be associated with the Russian government – then used the information gleaned to leak private documents and gain access to Democratic Congressional Campaign Committee computers for further monitoring.
The Association of Accounting Technicians. 30 Churchill Place, London E14 5RE. Registered charity no.1050724. A company limited by guarantee (No. 1518983).