Last month I finished the second issue of my Protecting Information publication and the topic couldn’t be more timely: social engineering.
Just today I have already read in my daily news items 5 articles about social engineering! One in particular, “CUNA Mutual Warns on Costly HELOC Scam,” provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here’s a quick overview…
* Social engineering criminals are targeting CUNA Mutual Credit Unions (CUs) by requesting home equity lines of credit for $100,000 and more.
* The social engineering criminals call the CUs and ask for the funds to be sent to banks in the U.S., China and Japan.
* The account names they use typically have “Title” or “Construction” in the account name.
* The social engineering criminals use valid telephone numbers so that when the CU staff calls them back, they get the original requestor.
* Unbeknownst to the CU personnel, the criminal has had the valid number provided to the CU forwarded to the criminal’s phone through social engineering the telephone providers.
* The CU’s caller ID shows the call is going to the real CU member’s number of record, so they think the funds request is valid.
* The criminals have apparently obtained the CU members’ detailed account information, so they can answer the CU staff’s identity validation questions correctly.
In response to this costly scam, here is what CUNA Mutual has sent to it’s credit unions:
“The company said it also sent its bond policyholder credit unions a risk alert on Jan. 3, advising them of their responsibilities and offers these recommendations:
• Establish a password system for members prior to accepting funds transfer requests by telephone, fax or mail. Have a written agreement with the member for the use of these passwords. CUNA Mutual said credit unions are allowed to pass on liabilities to the member for any negligent use of their funds transfer password.
• If there is any doubt as to authenticity of the funds transfer request, credit unions are reminded they do not have to perform a wire transfer.
• Beware of large requests for wire transfers that draw against a HELOC, particularly HELOCs that have large available balances and little previous activity.
• Limit the amount of wire transfer that can be completed by a call center employee. Managers should approve all wire-transfer requests.
• Record conversations during the call-back and compare it to previously recorded conversations.
• Listen to the caller. Does he or she have an accent that is inconsistent to your membership?
‚Ä¢ Perform an additional verification to the member’s work and/or cellular telephone number.
‚Ä¢ Additionally, if the credit union has the information, send an e-mail to the member at home and/or work.”
All good advice.
They also need to provide targeted training to all their CU personnel; not only once but on a periodic basis. Training should be updated as new social engineering schemes emerge.
The question remains; how did the crooks obtain the detailed information about the CU members’ accounts? There have been so many data breaches that it would be very hard to tell.
1) It could have been through a breach that occurred within CUNA Mutual.
2) It could have been through a breach that occurred within one of CUNA Mutual’s business partners who use the members’ account information for some reason.
3) It could have been through a breach that occurred within one of the vendors to whom they outsource some of their data processing or customer relationship activities.
4) It could have been through an insider with authorized access who provided the information to the criminals.
5) It could have been through the loss of a computer or electronic storage device that contained un-encrypted member account details.
6) It could have been by the criminals taking copies of printed member details from trash bins, if the company does not shred their paper copies of customer information when disposing of them.
7) It could have been by the criminal social engineering the different CU branch locations to collect the customer details over a period of time.
8) And many, many other possibilities…
The fact is, it is very hard, if even possible, to determine where these kinds of criminals get the information they use for their social engineering crimes.
Your best defense against social engineering scams include:
* Clearly written information security and privacy policies and procedures
* Personnel, vendor and business partner training
* Ongoing awareness communications
* Strong safeguards
Tags: awareness and training, CUNA Mutual, Information Security, IT compliance, personally identifiable information, PII, policies and procedures, privacy, privacy policy, risk management, security awareness, security training, social engineering