Why Does Social Engineering Work So Well?

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer. Your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Jonathan Jeffery  00:18

We’re living in a world where a well crafted story can be more dangerous than any line of malicious code, and with a percentage of fraud losses being brought about by social engineering, I hope you’re staying up to date on adaptations and improvements in the social engineering space. I’m joined today by Craig Jeffery, managing partner of Strategic Treasurer. He continually researches, communicates about and works with companies to protect their payment flows. Welcome to the show. Craig, how are you this morning?

Craig Jeffery  00:46

I’m good.

Jonathan Jeffery  00:47

Today, I’d like to hear a little bit about why social engineering and other methods criminals are using to steal funds, why they work, and what are you seeing companies do to protect themselves?

Craig Jeffery  00:58

Jon, social engineering is certainly working. It’s relieving companies of funds and information. Criminals are gaining access to systems and information and getting away with quite a bit of funds. And it works for a couple reasons. One, it’s a lot more sophisticated. It’s much better than it has been, and it’s combined with other types of technology, and people get distracted, and then they’re more easily fooled by something that’s closer someone sending an email that’s unreadable or barely readable is viewed as a joke and not a threat. But that gets better and better over time, and so it’s enhanced now with more people working on it, the use of AI to help make text or voice work efficiently. There’s lots of examples now, lots of examples of deep fakes being used to convince people to change pays, to send money different places, to give up credentials. And those are all significant threats to corporate treasuries, accounts payable, groups, companies at large. So this is, this is the environment that we’re living in, and we got to be careful. And so I think part of your question was, what what needs to be done to prevent that?

Jonathan Jeffery  02:08

Yeah, what are companies doing? What do you see out there that companies are doing to protect themselves?

Craig Jeffery  02:12

I think there’s a couple things. One is training. We see significantly more training happening with their employees. Employees tend to be the weakest link. You know, cyber defenses tend to be getting stronger, though there are still vulnerabilities. And so there’s this continual game of closing the door. Banks have for a longer time than corporations recognize the need to train and to test and to regularly retrain their employees, and so that’s that’s become almost universal at banks, where they’re doing it at least once a year, sometimes more than one time a year, regular training courses and then testing and probing with everything from phishing emails to recurring courses, rather than a 12 month break, They’re doing it more frequently. Corporations, corporate AP groups, corporate treasurer groups, those involved in the payment process. It’s a lot less frequent that a company is doing that on a more than once a year basis. The majority are now doing it. So that’s certainly a way that people have gotten trained. You know, there’s, there’s the idea that we’re trained, but we also don’t recognize sometimes, when we’re we’re more vulnerable. I can give you some examples. And we’ve talked about these off off air, where people get distracted and then they get the message from their their manager, their farther up boss that asked them to go buy, go buy gift cards, you know, from what they’re using their, you know, corporate card or their personal card, as a way to reward employees and people that would never do it are distracted. They’re running around. They get they get busy, they don’t think about it, and they go and buy them or using the corporate card, using their personal card. And that’s only one example, but that idea of being distracted is a, you know, is a real situation. So sometimes even those that are trained, they let their guard down and they violate the rules and practices. So what can people do? I mean, this idea of, you know, being trained, and one of the elements of training is making sure that you’re cautious and careful. You know speed and efficiency is usually our friend, but sometimes when everything’s urgent, everything’s urgent, we’ve got to speed and overlook quality care and you know our policies. You know being able to question things is sometimes thrown out the window, especially when it’s coming from higher up where you feel like I’ve got to respond quickly, so that needs to be part of the training and part of the organizational I’ll call it DNA, that you can question things, even if you suspect it comes from the CFO. Those are some of the key things that I think everyone has to focus on.

Jonathan Jeffery  04:59

Yeah, and I’ve seen it, even on a personal level, pick up in the in the last couple of years, where the other day, I got an email from my insurance company that seemed like it could either go one way, as a social engineering scam or a it could be legit, and they were saying that my payment hadn’t gone through, and that I needed to make a payment or I’d lose my insurance. For my, for my, this was for my motorcycle, but the number for the policy was different than the number I had on my card, so I ended up calling them because of hearing about all these stories of social engineering and imposter fraud. And you see it from, not only from CEOs, but also from, you could see it from clients or customers billing information.

Craig Jeffery  05:46

Yeah, so, so you spotted, uh, you spotted a difference in irregularity.

Jonathan Jeffery  05:51

What other stories or examples did you want to mention on this podcast?

Craig Jeffery  05:55

I know we have a series on different types of fraud and losses, but certainly some of these more abbreviated stories. You know, one of the things that’s probably most interesting to people, and probably most concerning is the use of deep fake. So this is using artificial intelligence to fake someone’s voice or fake someone’s video that gives instructions. There was a large UK energy company, you know, back in 2019 where there was a phone call that came in, and the person, ostensibly, was this other person’s boss, and it was instructions to send about a quarter of a million dollars to a supplier. The account was controlled by the criminal group. And the fact that you can use AI now to mimic video and audio means that you can teach these systems to learn someone’s speech and it sounds the cadence, the volume sounds very, very effective. And so now it’s available to not just the most sophisticated criminal groups, but to many others. That’s a pretty big concern, right? It’s one thing, if it writes better emails now it’s, oh, I just talked to the CEO, the chairman, and they said, We need to move this over. It’s important, you know, to pay a supplier in this case, or we’re doing an acquisition, and and then they send it to an account that the criminal group controls, and then they move it out of the banking system, you know, as soon as they can.

Jonathan Jeffery  07:30

Yeah, and it’s increasingly easy, like, I just want to mention how easy it’s gotten to fake these audio files, video files are still a little bit harder, but with me editing the podcast and all the SecureTreasury videos, I have enough content to use new software to mimic your voice and ask someone to do something and send them a voicemail or audio message through Teams or through Outlook, asking someone, “Hey, can you stop by XYZ store on your way to work.” If I know what they’re doing, it’s just gotten so easy.

Craig Jeffery  08:06

You know, it has. And even the emails we recently had an intern that had just started and was their email had been established less than a week. They were just starting to do training, like they had just popped it open, and they got an email, ostensibly from me, that asked them to do something. And so they had grabbed their keys and were going out, and their manager was like, What are you doing? And it’s like Craig asked me to do this, this particular thing.

Jonathan Jeffery  08:37

That’s why you start everyone out with SecureTreasury.

Craig Jeffery  08:39

And this was a week like their email had barely been used, and it was like their manager was like, No, he didn’t. And it was a, it was a good teachable moment. That’s why, usually the first week they’re going through all the the courses that we have on, you know, payment security and and across the board. So that was a, that was an example, you know, another one, Jon, we talk about spoofing. Sometimes the spoofing emails come from a Gmail account or some public account. But there’s some criminal organizations that work really hard on either gaining access to the organization’s email system directly, or they buy up other domains that are close or look alike. In 2022 there was a huge phishing attack. They were really working on stealing some of the Microsoft office 365, credentials from the US Department of Labor. And they bought up all kinds of domains, dol-gov.com, dol-gov.us, all kinds of domains that looked pretty good when you first look at it, right? They it wasn’t, you know, someone’s, you know, Gmail address or or something that was had lots of numbers in it. So it, it fooled many people. And so they were sending these out all over the place. There was bid options for people to use. They’re trying to gain credentials. So it’s like, you know, people would get these things and then they would enter all this information in because they were bidding on things that they might normally bid. And so when you cast a wide net, some people may, maybe I don’t do business with this particular organization. This, in this case, the Department of Labor. This was pretty extensive, building up, acquiring domain names, building up sites to do this. But for great reward, it’s worth it for for the setup, right? So you can do the simple theft, or you can do the more involved theft. That’s That’s another one i i found it pretty interesting and pretty bold, right? Because now you’re you’re spending money buying domains, investing a lot of time setting things up, trying to stay under the radar, and as soon as it gets found out, you know, the law enforcement can extinguish these sites, usually pretty quickly once it’s reported.

Jonathan Jeffery  10:57

If it doesn’t take long to set up a new one and start again. Any other stories you wanted to touch on?

Craig Jeffery  11:05

Another example is using some of these file sharing sites and phishing for information, particularly in the environment of hybrid or more work from home. In 2021 there was a attack that was really geared for those who are working from home, the criminals would send an email. Here’s something you have to do right away. You need to sign this document, and it’s in, you know, Microsoft SharePoint. So, you know, since it looked legitimate, has the SharePoint logo. It’s all, all of its branding, all of its look and feel matches what they’re used to. But it went to a site, and the site was meant as a vacuum or a Hoover to siphon off their credentials. So when they go in there, they plug in their credentials, which they had loaded into the system, and then now they have those credentials. And so that’s another reason why multi factor authentication matter so much, because now, if they try to go into and steal the information to gain access to the systems with those credentials, they may not be able to do it if you have multi factor authentication, or may, may not be able to do it in a persistent manner. You know, because there they got in, perhaps when you when you logged in, you punched in your code, they punched in the code, and now they’re into your your work, SharePoint site. So this is, you know, this is recognizing, you know, regular processes and events that people have to do, and then finding some way to, you know, put up a fake, I’ll call it storefront, or SharePoint site that people will give up their credentials willingly. It’s like the, you know, there was this time where they were sticking these fronts on the ATM machines, or just an overlay. So people would put their cards in there. It would read off the card, they’d punch in their pin, and then it wouldn’t work. The machine wouldn’t give out money, so they’d go somewhere else, but they had their card, but all the card information been captured. The pin had been captured, and so now the criminals would make those cards go to real ATM machines and withdraw as much money as was available. So that’s another, another story that helps us just think of how clever The criminals are and how careful we need to be.

Jonathan Jeffery  13:22

Yeah, with the two factor authentication, it would send you a notice. If you’re getting codes for a 2, 4, 6, digit code to punch in, you’re like, Hey, I’m not logging into anything. Might get you to think back to that portal you logged into. But that wouldn’t stop the risk of if you logged into the portal, put your credentials in so they stole those. They may not be able to get into your actual account, but if you ended up uploading files there, they now have access to all those files.

Craig Jeffery  13:50

Yeah, exactly, and then, and they may use those to build over time.  One of the things that not everyone thinks about is the persistent nature of the more sophisticated criminals and the patience that they have. You know, it was always criminals with, you know, the smash and grab style criminals like I can see something of value, I get it and I take and that’s all I think about. You know, hand to mouth, stealing something, the level of crime and the payoff goes to those who are patient and sophisticated. They’ll gather information, they’ll gain access. They’ll gain access and try to move laterally to gain more credentials. And then, as they do that, then they can set the trip once they have gained significant access across an organization, move funds, fool people to move funds becomes a lot easier when now you have, let’s say, three different places where you can instruct people to make this transaction, approve this highlight the and emphasize the emergency or timeliness of the nature. And that tends to work really, really well.

Jonathan Jeffery  14:59

What else can companies do to protect themselves? And of course, how does Strategic Treasurer help with that?

Craig Jeffery  15:05

Well, one of the, one of the first areas, is looking at, you know, putting in the right technology and organizations and having consistent and controlled processes, consistent controlled processes that are not dependent upon what a person does, but that this the system and the process enforces the right type of behavior and policy, that there’s multiple approvals, secondary person checking and approving things, that information is hidden and locked in a system, not moving from file to file, moving across SharePoint sites or desktops or shared drives.

Jonathan Jeffery  15:42

Well, that works with with payment instructions and file transfers, but with stuff like the email to get someone to do something. What kind of, what kind of structures can you put in place for that?

Craig Jeffery  15:54

Yeah, so there’s, there’s both technology and there’s training. So on the technology side, I would say probably the majority of companies now put put headers on say this, this email originated from outside the organization, and that certainly helps from emails that originated outside the organization. Now, someone’s gotten inside the organization and is sending an email from the company system. It’s not going to detect that but, but having the system capture that, review it, track it, identification of this is not a person you normally receive emails from, this requires little more careful monitoring. So outside the organization, unusual source for an email. Those are good tools for that. But then there’s the human element too. And so we always think about payment security training as well as cybersecurity training. A lot of cybersecurity training covers the phishing emails, desktop hygiene, which are essential. But one of the things that we also focus on is, you know, we, we offer a series of courses on a range of topics about payment security, everything that you may want to consider and need to know, how do you protect your payments? Payment specific security training is, is the next level. I mean, cyber security training is essential. The majority of companies, the vast majority of companies, are doing that now, but targeting people that have control over payments is a must. And so understanding how criminals operate their playbook, different types of criminal methods that have been used and deployed, why they worked, how those could be defeated, how payment systems are managed, how payment rails what type of information do payment rails pass? How do people work at avoiding or bypassing bank security protocols and services. All of these are now essential for the AP professional, the payments professional, the treasurer’s of organization. So training people is another other key area us, other things that we do to help organizations. One, one area is, you know, organizations need to have an assessment of their of their payment security at a foundational level, they need to know, what are all the different payment flows and processes in their organization? Looking at that, here’s a full inventory. Here’s how the process works, end to end. And one thing that we’ve we found through through our experience here is typically, or, you know, pretty much conclusively, it seems organizations aren’t aware of all of their payment flows. They identify anywhere from about half to about 75% of the payment flows that that their companies use. Now most of these are, you know, mid sized to extremely large organizations. But still, you think we have, I think we have 27 payment processes, and those are the ones that are well documented and known, and then by the time they go through the process, it’s, we’re well north of 50. Very interesting to see that when you start discovering other payment flows, it would be an inventory of it’s like, I don’t have an inventory of my most expensive computer hardware. Well, that would not be considered acceptable. And yet, many organizations don’t formally have an inventory of all of their payment flows, and so a payment security assessment starts with that at the beginning, and then looks at those flows from end to end, everything from setup to transfers to controls all the way through to security, confidentiality of transmitting data, protection of information, to reconciliation, and those assessments we think are so vital to organizations saying, here’s where we’re weak. Here’s some compensating controls we can put in place to be at. Least acceptable minimum standard, and then it also gives them a roadmap to what do I need to do to fix things over time, to continue to strengthen my defenses there? That’s a that’s a real foundational thing for organizations, a payment security assessment,

Jonathan Jeffery  20:18

Yeah, but don’t, don’t ask someone to take a look into it, unless you’re ready to spend time and resources on actually securing yourself. You’ve been talking about pen testing with payments for quite a bit. Now you want to jump into that.

Craig Jeffery  20:33

Yeah, one of the areas you know, through some of our discussions with we have round tables we talk to, you know, treasurers CFOs, Assistant treasurer’s people responsible for significant movement of money and the and fraud and controls comes up. That’s always one of the top issues. Comes up regularly as we’ve been talking through what we do on the security assessment side and training side, I’ve shared information about, you know, penetration testing. It’s usually cyber pen testing. Why that works, and then what’s the difference between that and payment pen testing? So cyber, cyber pen testing is, penetration testing is, can someone enter your your company systems, or gain access to credentials from the outside? Or some of the pen testing is, let’s make the assumption that they’ve gained access to the company system. So you give them credentials inside the organization, and then they try to see what else they can discover, unfold or pull out. You know, making the assumption that, hey, they’re going to get in at some point. How is that damage or that situation contained and what exists. You know, that’s where the payment pen test became involved. This grew out of, it’s the next level. So it’s a white hat. So it’s, it’s having, you know, a trusted organization either try to gather information about your company’s approval, approvals, your payment systems, or even granting them access into into the corporate network, into some of the banking platforms, to see if they can gain access, get approvals, made do anything that would show that the training, that the process, that the regular defenses aren’t working. And this is really eye opening to people. And there’s it, there’s actually a tremendous amount of of interest in that. We find that pretty exciting, of course, you know, because the ability to use deep fakes and AI to try to, you know, compromise or extract some information, is fun and using new tech, but what we find is, or what we recommend is, get a payment security assessment done first, to get your full inventory and see what you need to do to fix those, those exposures, and know where your exposures are, and then how you would respond, and get your people trained, then it’s a good time to have a payment pen test. Now, there are some people that say, Hey, we want to do that up front to show how bad things are, so that we can get more resources to fix the process. And so that’s certainly a view that that people take. But those are, those are for the areas that we we think about helping with the tech and consistent processes, payment security assessments, payment security training and payment pen testing.

Jonathan Jeffery  23:27

There’s interest in pen testing now, but I’m guessing in the next five to 10 years, as AI and and deep fakes get easier and easier to use, it’s going to grow a lot.

Craig Jeffery  23:40

Yeah, it’s, it’s easier to use, more people can do it, and it’s better and better. So you’re, you’re exactly right. It’s the criminal activities are moving in one direction, more sophisticated and easier, leveraging technology more effectively. So our defenses have to, have to continue to be strengthened.

Jonathan Jeffery  23:59

Gotcha. Well, thanks for sharing any final thoughts.

Craig Jeffery  24:02

Yeah, I guess I would say, be mindful that you can always be fooled or tricked. And so, you know, take time and be a bit a bit suspicious and do that extra check. So be skeptical to an extent, and make sure you have some time or space to think about things. And most importantly, make sure you build that process of additional validation, principles of least privilege, into your processes and into your culture. And for the organizations that do that have training and look at it, they suffer far, far less losses than those that do not take this as seriously Well, thanks so much for your time, Jon,

Jonathan Jeffery  24:43

Yeah, we’re recording this podcast remotely. I’m gonna have to start doing a two factor authentication to make sure I’m actually talking to you and not a deep fake.

Craig Jeffery  24:52

Yeah, I didn’t slip any of those words on some of the cheaper, deep fake things. We wanted to see how it worked. We used one of those. It was funny how, if you use the non payment ones, sometimes they’ll just drop in, like a funny word, like sandwich, and it sounds like whoever you trained it on, and it’s been in the middle of a story. It’s like, “You know, thinking through fraud and controls sandwich is, you know, something really serious sandwich.”  You know, or whatever the thing is. And it’s like, okay, you pay $1 now you can get it without the weird word that pops in.

Jonathan Jeffery  25:27

Yeah, they they kind of nerf it so that you end up paying them for their software. But they’re getting pretty good. Well, thanks for your time. Thanks for sharing your thoughts. Craig,

Craig Jeffery  25:34

Thank you.

Announcer  25:38

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.