Social Engineering Scams Evolve to Try and Compromise Accounts and Steal Login Credentials
Social engineering has taken on a new twist, according to cybersecurity experts. This online tactic, which leverages personal details gleaned from the Internet to try and convince a user to take action, is now arriving in the form of multi-factor authentication (MFA) prompts.
These usually arrive as push notifications from an app or unique codes delivered via email or text message. Reports have emerged of both criminal hackers and nation-state actors using this technique with which bad actors attempt to irritate users with repeated MFA alerts. The hope, according to researchers who have studied the new social engineering tactic, is that users will become so annoyed by the prompts that they will unthinkingly accept the request to log in to their account.
How can hackers pull this off? By finding publicly available phone numbers and email addresses to which they can deliver personalized messages to devices and accounts. By bombarding someone with repeated alerts—often late at night, when users aren’t thinking as clearly or prepared for spam attempts—hackers attempt to gain access to a legitimate MFA portal, from which they can enroll another device. That shadow device can then be used to steal login credentials or access accounts that contain privileged information.
Other variations on this new social engineering trick include calling the target and pretending to be part of their actual business. If hackers can get the user on the phone, they can often impersonate a company executive or other key contact (discovered, for instance, by scrolling through social media accounts) and try to gain access to passwords or MFA portals. In addition, some hackers will send only one or two MFA prompts per day but at the same time to try and simulate legitimate login procedures.
No matter the method, the goal is usually the same: to steal sensitive information, gain access to protected accounts, and capture company data, often with the hopes of extracting a ransom or financial reward.
How can you protect your information and keep your digital identity safe? CMIT Solutions has accumulated the following five tips to protect MFA and login credentials while understanding the threat to small and mid-sized businesses across North America:
1. Understand the threat and how users’ accounts may be compromised. As the old saying goes, “knowledge is half the battle.” Many users may assume that the extra step required for multi-factor authentication (MFA) means that information is 100% protected. But even the strongest security measures can still be vulnerable to sophisticated social engineering tactics. Over the last two years, illicit attempts to steal information and compromise accounts have come in a variety of formats: fake COVID-19 alerts, legitimate-looking invites to collaborate on a shared document, urgent requests to review an attached file, or even personal pleas engineered to appeal to your emotions. Once you know how to identify the commonalities linking these attempts—suspicious sender addresses, confusing subject lines, minor errors in the body copy, missing email signatures—your alert level increases and you’ll be more prepared when suspicious messages do arrive.
2. Use caution with unexpected or suspicious email attachments or embedded links. Tricking someone into opening an infected attachment or clicking on an illicit link is still the easiest way for hackers to gain access to a computer or device. Popular formats include PDFs, text files, images, or MP3s, while this new twist on MFA prompts will often include a link that hackers urge a user to click. NEVER open an attachment or click a link unless it’s a specific file you’re expecting from a trusted co-worker or the destination URL matches the one written in the message. You can double-check this by hovering over or right-clicking the link(s) and looking for a legitimate web address that corresponds to the one the email came from. If a text message or mobile device prompt includes a link, manually retype it in your browser to check and see if it’s legitimate. If you see unintelligible strings of jumbled numbers or letters, use caution and DO NOT CLICK.
3. Think twice before providing any personal, financial, or medical information. This may seem obvious, but one of the biggest threats of social engineering scams is their ability to manipulate users into sharing sensitive information. Be especially wary of any requests you receive via email, text, or push notification that ask for passwords, birthdays, account number confirmations, or other private details—even if the sender claims to be one of your colleagues, co-workers, or bosses. If you can, verify the authenticity of the attachment face to face (even in a virtual meeting) or over the phone.
4. Work with a trusted IT provider to assess and heighten cybersecurity protections. Certain measures can help to defend your networks, protect your inboxes, and secure the apps you use for multi-factor authentication (MFA) or single sign-on (SSO). But multiple layers of protection are critical, especially as the social engineering tactics trying to steal your information evolve. A trusted partner with extensive cybersecurity experience can help you examine existing network security tools like anti-spam, anti-malware, and anti-virus while constructing elevated levels of protection like traffic analysis, advanced firewall, and SIEM/SOC around your systems.
5. Provide employees with regular cybersecurity training and recurring education. No matter how sophisticated a company’s cybersecurity measures may be, well-trained employees can provide a critical first line of defense. But you can’t expect those workers to bring such knowledge to the table on their own. Advanced security awareness training can empower your employees with threat simulation and evolving best practices, helping them avoid falling for common attacks and spot social engineering attacks before they wreak havoc on entire systems.
Social engineering is one of the trickiest scams to understand and mitigate, especially as tactics shift to take advantage of updated security layers like MFA. Reliable IT providers like CMIT Solutions have extensive experience assessing threats and assisting businesses of all sizes and all industries. We can help deploy extra layers of cybersecurity to protect against ransomware, phishing, social engineering, and business email compromise.
If you need help navigating the complicated world of digital threats, contact CMIT Solutions today. We can protect your login credentials, shore up the security of your apps, and empower your employees with training and education. That means enhanced protection and smoother day-to-day operations, allowing you to focus on your business while CMIT Solutions handles technology matters for you.