Toyota Boshoku Corporation, a subsidiary of automotive giant Toyota, became the most recent victim of an information security breach resulting in a fraudulent funds transfer. Suspicion is that a successful social engineering attack duped an employee into making the transfer. The fund transfer amounted to almost $37 million; a loss that if not recovered, may force the company to amend their annual earnings. This loss didn’t happen because Toyota was somehow lax in their security. It happened because social engineering attacks exploit the one cybersecurity weakness that can’t be eliminated – people.
Social engineering is a well-known type of attack in information security that relies heavily on human interaction. Social engineering attacks include things like Phishing, Vishing, Pretexting, and a range of other activities in which an attacker manipulates someone into breaking security procedures and in turn gains access to sensitive systems or data, generally for financial gain. The costs of such a breach aren’t always in the millions, but they are significant.
While details are currently limited, what is known is that an employee was convinced that the fund transfer was legitimate or authorized and therefore completed the transaction. There are several possibilities for how this occurred, many of which would be by attackers. One of the more disturbing methods that has emerged is the utilization of deep fake technology to mimic the voice of someone who internally has the authorization to legitimize the transfer. A fake phone call in which the senior employee verbally authorizes the transfer is a technological possibility. These succeed because rarely do employees question their higher-ups when given a verbal order. Another potential method would be for the attacker to send fraudulent emails from a “trusted” company leader with the power to approve fund transfer. The most likely approach would be for a criminal to establish themselves as an apparently legitimate supplier with the company. This turns the organization’s processes against itself. The attacker need only to issue invoices and provide appropriate delivery documentation for goods that never existed.
Whatever the details of the attack, the result was the same – the company lost $37 million. Social engineering attacks rely on the one factor that is a perpetual variable in information security, human beings. No matter how robust your cybersecurity posture, or how good your security practices, it only takes one time for an otherwise reliable, dedicated, and often well-meaning employee to decide to circumnavigate a security procedure, click on the wrong link, or accept someone’s identity at face value and suddenly your organization is facing a data breach or a security incident. Social engineering is often the most successful form of cyber-attack because it leverages the good intentions of employees and trust for the company processes and structure. Criminals gain an understanding of how an organization functions through information gathered in a seemingly innocuous or legitimate manner. This information allows them to design plausible scenarios which turn unwitting employees into security holes and risk factors.
In many cases, when the details come to light, a social engineering attack succeeds because human beings are the central risk factor. The human risk factor can be mitigated but never entirely removed from the equation. End-user training and cybersecurity awareness programs are the first step in the mitigation of this risk. Empowering your employees to ask questions and request verification directly from trusted sources is an important control that helps address the danger of social engineering, but it is hard to ensure one hundred percent compliance, one hundred percent of the time. External factors such as crunch time, looming deadlines, unavailable superiors, and productivity metrics often influence whether an employee has the luxury of being precautious or runs with the theory of ‘good enough’. In the end, there is no eliminating the human risk factor in security, even if you are an automotive giant like Toyota.
At Zeguro, we understand that removing the human risk factor is impossible. We also understand the importance of protecting your company. Building and maintaining a robust cybersecurity program can be overwhelming and expensive for even a large well-funded organization. This is why Zeguro takes a holistic approach to help SMBs strengthen their cybersecurity programs and undergirds that with a safety net. Starting with a security-first approach, we help you identify risks, create policies, and monitor control effectiveness. Then, because we understand that the human risk factor will always exist, we go further than other companies. As part of our Cybersecurity-as-a-Service (CSaaS), we also direct you towards an end-to-end cyber insurance policy designed around your needs.