A busy senior executive walks into her office on Monday morning and begins to review her email. About halfway through, she sees this message:
To: All employees
From: HR and IT department
The IT department has contracted with XYZ Consulting to test and enhance the performance of our network. In doing so, we ask that you sign into the link below and run a few tests. XYZ has asked us to get as many people as possible to perform the tests to get a true reading of our network speed. Your help is greatly appreciated. Link here:
The executive finds it odd that she was not informed about this project and calls the IT department to find out more. She is stunned to learn that not only did IT not sanction any network testing, but that this is a phishing email and more than 100 employees had clicked the link and signed in with their network credentials before IT could stop it.
This scenario is a good example of social engineering in today’s highly connected business environment. Wikipedia describes it well: “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.”
CAEs have an interest in knowing how the information security department addresses social engineering, primarily because it is used to perpetrate fraud. Additionally, internal audit should proactively assist in detecting how these techniques play out in their organization and help deter them.
How It Works
Social engineering usually targets communications systems. The most common method is to send a phishing email that asks the user to click on a link. This link is set up by the perpetrator to request a user’s network ID and password, thus obtaining the needed credentials to access the company’s systems and data. The scammer then uses those credentials to sign onto the system legitimately, access confidential information, and download the information to sell or perpetrate fraud.
Some social engineering approaches are elaborate. One variation is to have the link execute a piece of malware to invade the system. Another variation is to offer an incentive to entice the user to click on the link such as money or scheduling a package delivery. Still another technique is for the sender to say he or she is acting under the direction of the IT department or a senior executive. Some scams play on a user’s personal situation or sympathetic side — a compassionate plea about a sick child or parent — to trick the user to click on a link or go to a fraudulent website. Some of the nastiest scams — particularly in the banking industry — send phishing emails purporting to be from the organization that tell its customers they need to refresh or verify their credentials or their accounts will be closed.
Although the email system is the main target, scammers can use the telephone system, as well. For example, a scammer can call claiming to be a customer who has lost his or her credentials to access his or her account. Or callers might say they need to access their financial account immediately and don’t have time to verify their personally identifiable information. Another technique is to call an employee claiming to be a consultant working on the system who needs the employee’s credentials to fix something on the system.
What Internal Audit Can Do
Addressing social engineering is not a task internal audit can tackle on its own. But there are things auditors can do to help the information security department protect the organization.
Testing Performing a social engineering audit in conjunction with the information security department is one of the most effective and eye-opening things internal audit can do to discover whether the organization has a large-scale awareness issue. A good social engineering test consists of:
- Craft a phishing email similar to those used in common phishing scenarios.
- Work with IT to set up a fake Web address where the link should be directed.
- At the website, ask for sign-in credentials.
- Send the email to employees and monitor who clicks on the link and enters their credentials.
Awareness Work with the human resources (HR) and information security departments to develop an effective information security awareness program. Employee awareness is the No. 1 way to deter email and phone phishing scams. Teach employees that while customer service is important, they should never bypass information security protocols to help customers unless they have verified through established procedures that they are truly communicating with a customer.
Hotline Include suspicious emails in the organization’s fraud reporting hotlines and procedures. Detecting fake emails is just as important as uncovering an employee who is misappropriating funds. The only difference is they are using a different means to perpetrate the fraudulent activity. One way to encourage reporting is to place an icon on the email tool bar that allows users to easily report a suspicious message.
Audit Procedures Include questions in audits that ask about any unusual activity related to emails or phone calls. Giving system credentials to strangers is even worse than sharing credentials with other employees.
In addition to these items, advise information security and HR to enact these procedures:
- Do not allow personal email to be sent to or from work addresses. This limits the number of suspicious emails and helps deter internal fraud by disgruntled employees emailing sensitive company data to their personal email.
- Monitor all email sent to noncorporate email addresses.
- Recommend tools that have aggressive and effective spam filters to weed out spam and emails sent out through automated email generators.
- Enforce a formal email or computer use policy.
- Do not allow executive privilege to dictate email policy, which can circumvent the measures the information security function has implemented to protect the organization. Executives and senior managers are just as likely as other employees to click on a phishing message.
- Never pre-announce social engineering tests. The element of surprise is important. Testing the awareness level will only be successful if it’s performed under true conditions.
Minimizing the Threat
Internal audit has a role to play in an organization’s social engineering defenses. While it is primarily an information security responsibility, awareness, monitoring, and setting up and recommending controls are all activities that internal audit can actively be involved with to minimize the chance that the organization’s systems are breached. In addition, auditors should help detect and minimize conditions that exist for social engineering fraud. Cybercrimes are now one of the new “misappropriation of assets” frauds within organizations. The asset being misappropriated is customer and company private information, and the repercussions to the organization can be devastating.