A series of attack anecdotes shared by Brian Krebs shows how persistent and sophisticated scammers are in using social engineering tactics to gain access to their victim’s bank account details.
It all starts with a bit of information about their next potential victim; using credit card records for sale on the dark web, scammers use all the pertinent details necessary: name, address, phone number, email address and full credit or debit card number, expiration date, and card verification value (CVV) printed on the back of the card.
According to KrebsOnSecurity, one victim called Jim was the target of not just one, but a few separate social engineering-based attacks using both the phone and email as initial communication mediums. These attackers used techniques such as calling Jim pretending to be the bank while simultaneously calling the bank pretending to be Jim (in an attempt to pass along passphrases and transaction details in real time), as well as spoofing Jim’s phone number in order to retrieve recent transactions from the bank’s automated customer service line to be used when calling the bank later impersonating Jim.
Attacks are no longer simple campaigns with a story arc; today’s social engineering scams take into account all of the “what ifs” should their victim attempt to call the bank themselves, be hesitant to comply, and more. Having planned for every contingency, I can see why these kinds of attacks succeed.
What’s needed is for the individual to consider any bank-initiated communication as potentially false, scrutinizing the message, the contact details, and the next action to be taken. This issue has material ramifications for those individuals within the organization that are responsible for the company’s financials. Putting users through Security Awareness Training is an effective way to heighten their sense of scrutiny when interacting with email, inbound phone calls, and the web.
The place to stop these attacks is before a link is clicked and before any security questions are answered – teaching users to remain vigilant is the key.