The recent large-scale data breach at Experian South Africa brings into focus an important security vulnerability for individuals and businesses – human error. Social engineering attacks exploit human psychology in order to defraud unsuspecting targets. What are social engineering attacks, and how can you better secure yourself and your business against them?
Experian data breach exposes the threat of human error
On 19 August 2020 The South African Banking Risk Centre (SABRIC) announced a large-scale data breach at Experian South Africa. Experian, one of the world’s largest credit bureaus, confirmed that it had unwittingly exposed the personal banking-related information of as many as 24 million South Africans and nearly 793,749 businesses to a fraudster. While the bureau’s infrastructure, systems and database had, according to the company, not been compromised, sensitive information had been acquired by an individual who had fraudulently requested services while purporting to represent a legitimate Experian client.
In their own communication, Experian tried to put the public’s mind at ease, confirming that “no consumer credit or consumer financial information was obtained”. They reported no evidence that any misappropriated data had been used for fraudulent purposes. Rather, according to them, “the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”
Besides the embarrassment suffered and the devastation of trust between the business and customer, what vital lesson can be learned from this particular incident?
The breach brings into the spotlight the value of personal information, the need to keep it as secure as possible, and, most importantly, a key vulnerability – human error.
Why is human error still the most crucial vulnerability in any security chain?
Social engineering attacks exploit human psychology
“The compromise of personal information”, writes SABRIC CEO Nischal Mewalall, “can create opportunities for criminals to impersonate you.” However, according to Mewalall, “this alone does not guarantee access to your banking profile or accounts”. So, what is the problem then? Well, Mewalall asserts that “criminals can use this information to trick you into disclosing your confidential banking details”. Such malicious actions are termed “social engineering attacks”, and they target your ability to trust in order to extract information, exploit vulnerabilities and capitalise on them.
According to SABRIC, criminals are aware that the weakest link in the security chain is a human. Social engineering exploits trust and human error in order to gain advantage. Through social engineering, criminals target people, rather than things, in order to manipulate human psychology to obtain personal or confidential information. With the right mix of information, criminals can pose as technical support engineers, or bank staff, in order to exploit a victim’s inclination to trust.
In some cases, once trust is established, a victim can willingly divulge confidential information to a criminal via email or telephone. In other cases, victims can be guided by the criminal to follow several steps to “fix” something on their computer. The victim then unwittingly installs malware which sends their personal or confidential information back to the criminal.
As noted by SAFPS CEO, Manie van Schalkwyk:
Think of your identity information in the same way as you think of cash … Keep it safe and secure at all times, because once it is compromised, it can be used by anybody, often to impersonate you.
So, how do criminals try and get information from you? Let’s look at three common social engineering tactics.
Three common social engineering tactics
- Phishing
Phishing emails are a form of spam and one of the most popular means of attempting to extract information fraudulently from individuals. In this case, an email is sent to an individual requesting that they click on a link. Attackers can disguise, or “spoof”, their email address to look like that of an official or trusted source. The email can also be designed to visually look like an official communication from a bank or service provider. In some cases, the emails can threaten you into taking an action, like claiming that the sender already has sensitive information or control over your digital assets.
When clicked on, the link will direct you to a “spoofed” website, which is a site designed to fool users into thinking that it is legitimate. The website is designed to obtain, verify or update contact details or other sensitive financial or personal information. The spoofed website will look almost identical to that of a legitimate or a well-known financial institution or service provider such as, for example, Microsoft.
Phishing emails are typically sent in large numbers to consumer email accounts that have been obtained fraudulently, bought or even harvested from data breaches such as the Experian breach. However, in some cases they can meticulously target specific individuals, what you call spear phishing.
SABRIC Tips:
- Do not click on links or icons in unsolicited emails.
- Do not reply to these emails. Delete them immediately.
- Do not believe the content of unsolicited emails blindly. If you are worried about what is alleged, use your own contact details to contact the sender to confirm.
- Type in the URL (Uniform Resource Locator or domain names) for your bank in the internet browser if you need to access your bank’s webpage.
- Check that you are on the authentic/real site before entering any personal information.
- If you think that your device might have been compromised, contact your bank immediately.
- Create complicated passwords that are not easy to decipher and change them often.
2. Vishing
Vishing is when a fraudster phones a victim posing as a bank official or service provider and uses social engineering skills to manipulate them into disclosing confidential information. The criminal may have already obtained certain personal details, such as an ID number, physical address and email address, which offers them more credibility. When trust has been established, the fraudster can lead you to divulge even more confidential information or lead you to take actions that defraud you or further compromise your security.
SABRIC TIps
- Be conscious of the fact that criminals can mask their telephone numbers to make it seem as if a legitimate individual or company is making the phone call.
- Never share personal and confidential information with strangers over the phone.
- Also note that banks will never ask you to confirm your confidential information over the phone.
- If you receive a phone call requesting confidential or personal information, do not respond and end the call.
- If you receive an OTP on your phone without having transacted yourself, it is likely that it is a fraudster who has used your personal information. Do not provide the OTP telephonically to anybody. Contact your bank immediately to alert them to the possibility that your information may have been compromised.
- If you lose mobile connectivity under circumstances where you are usually connected, check whether you may have been the victim of a SIM swop.
3. SMishing
Criminals are aware that people are spending more and more time on their smartphones. They are also cognisant of the fact that users are often using their smartphones on the go, or when in a hurry, and may be less likely to scrutinise and deliberate over SMSs with suspicious links.
SMishing is short for SMS Phishing. In this case, criminals send an SMS, often purporting to be from your bank, requesting your personal or financial information such as your account or PIN number.
Clicking on these suspicious links may install malware onto your phone, or could take you to a spoof website where you will be asked to enter personal or confidential information.
SABRIC TIPS
- Do not click on links or icons in unsolicited SMSs.
- Do not reply to these SMSs. Delete them immediately.
- Do not believe the content of unsolicited SMSs blindly. If you are worried about what is alleged, use your own contact details to contact the sender to confirm.
- Check that you are on the authentic/real site before entering any personal information.
- If you think that your device might have been compromised, contact your bank immediately.
- Create complicated passwords that are not easy to decipher and change them often.
- Don’t store your credit card or banking information on your smartphone in case malware gets installed on your phone.
- Regard urgent security alerts, offers or deals as warning signs of a hacking attempt.
What can you do if you think you have been compromised?
According to SABRIC, if you suspect that your identity has been compromised, you should immediately apply for a free Protective Registration listing with Southern Africa Fraud Prevention Service (SAFPS). This service alerts SAFPS members, which include banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder. To apply, you can contact SAFPS at protection@safps.org.za
Furthermore, avoid disclosing personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email. Change your passwords regularly and never share them with anyone else. Verify all requests for personal information and only provide it when there is a legitimate reason to do so. Finally, check if your information may have been exposed in other data breaches through https://haveibeenpwned.com/. If so, change your passwords and be aware that criminals may use information to try and exploit any vulnerabilities.
For further advice, please see www.sabric.co.za