Threat actors today are maximising every opportunity they get to prey on vulnerabilities, security gaps, as well as human nature. In fact, the last of that trio is a particularly grave concern, and cyber hygiene must be at the top of mind for organisations. The truth is human negligence cannot be "patched", and vigilance must be stressed in awareness training to quell fraud-based social engineering.
Unfortunately, the odds are often in favour of the attacker because it takes just one unsuspecting team member to open the floodgates for attackers to have a field day. Only one person clicking on a malicious link or being misled into providing credentials is needed to give malicious actors unadulterated access to the corporate network.
What are socially engineered fraud attacks?
Social engineering attacks exploit social interactions, like email or texting, to manipulate users into giving up confidential information. Fraud attacks go beyond that by attempting to maximise a position of authority or trust to trick someone into divulging information. With the right credentials, attackers can often get far into corporate networks.
According to the Cyber Security Agency of Singapore, about 55,000 unique Singapore-hosted phishing URLs with a “.sg” domain were observed in 2021. This was an increase of 17% compared to the 47,000 URLs seen in 2020. Social networking firms made up more than half of the spoofed targets.
Additionally, the Singapore Police Force's Mid-Year Crime Statistic Report revealed that scams continued to be the main driver of crime in the first half of last year. From January 2022 to June 2022, scams increased to 14,349 cases, driving the total number of reported crimes to 25,593 cases from 18,725 cases in the same period in 2021. Scammers have been constantly evolving their tactics, and facilitated by the increase in online activities.
See also: Singapore to encourage development of international AI standards by open sourcing AI Verify
Preventing social engineering fraud attacks
Fraud-based attacks attempt to maximise trust and a sense of urgency to pressure or convince users to get valuable access information, so it is key to be armed with tips to avoid becoming a victim. To prevent social engineering attacks that use fraud tactics, organisations can leverage some of the same tools and strategies that prevent other types of social engineering attacks.
Firstly, businesses need to maximise zero trust network access (ZTNA) and multi-factor authentication (MFA). ZTNA extends the principles of zero trust access to verify users and devices before every application session. It confirms that they meet the organisation’s policy – which can be enforced for both remote and on-campus workers – to access that application. Organisations should also increase the certainty of user identity by verifying another factor and using adaptive authentication. If an MFA fatigue attack happens, effective ZTNA will limit access, especially if a time-of-day access policy is in place.
See also: Singapore to encourage adoption of quantum-safe technologies
Secondly, organisations need to eliminate key vectors of attack. They can do so by having email security gateways and content disarm and reconstruction tools to eliminate malicious attachments and links. Web application firewalls are also important to secure access to websites and identify and disable malicious links or embedded code. Endpoint detection and response tools are vital to protect various endpoints too.
Organisations today should always be prepared they will get attacked one day. They should therefore leverage incident readiness (IR) subscription services, which provide tools and guidance through readiness assessments, IR playbook development, and IR playbook testing (also known as tabletop exercises) that can help them better prepare for a cyber incident.
Besides that, employees must take ownership in fulfilling their cybersecurity responsibilities. The simplest task they could do is to use unique usernames and passwords as doing so can reduce the extent of access if bad actors obtain their credentials.
On the organisations’ side, they need to provide broad cybersecurity awareness training that educates employees on identifying threats and protecting themselves and their organisations. They can also leverage phishing simulation services to take it a step further. By using real-world simulations, organisations can test user awareness and vigilance to phishing and other threats, as well as train and reinforce proper practices when users encounter such targeted cyber attacks. Practising spotting phishing attempts aids in building up important muscle memory for everyday reality, as phishing is often part of the initial outreach strategy, even for a fraud-based attack.
The most crucial element in improving an organisation's risk profile is getting employees behind the idea of accepting and fulfilling their security responsibilities. With training, the right tools, and effective processes – including support from top-tier company leaders – security teams can help everyone take cybersecurity seriously. While corporate security and IT teams remain the first layer of defence, everyone in the organisation is responsible for understanding cybersecurity basics.
Daniel Kwong is the field chief information security officer for South East Asia and the Hong Kong region at Fortinet
