Stay calm and (don't) pay the hackers
This social engineering case study highlights how attackers can use curiosity, urgency and fear to manipulate victims into breaking company protocols and get a finance employee to willingly transfer £152,000 into the attackers bank account.
Miranda worked in Finance for Troy Ltd. One morning she received an email with the subject line “Urgent C.V resend: FAO Miranda Lewis”. She opened the email:
Miranda opens the attachment and reported that it just looked like a random mix of numbers and letters. Definitely not a C.V. She replied to the sender alerting him that the C.V was unreadable, and if he resent it, she would look at it. Miranda went about her day as usual not giving another thought to the scrambled C.V.
At 12:30 pm, Miranda logged into the company’s online banking and checked that all the expected invoices had been received. It all looked fine and she went out to lunch with her friends.
Unbeknown to Miranda the C.V attachment she had opened had dropped a trojan onto Troy Ltd.’s system. This type of malware gave the attackers sight of everything including the company bank account. Whilst Miranda had been logged into the online banking the attackers had managed to copy all the banking login credentials. Over Miranda's lunch break the attackers found an Excel spreadsheet that she used to catalogue the account numbers of various suppliers that the company used. The attackers then changed each bank account on the spreadsheet to ones they controlled!
When Miranda returned from lunch she saw another email in her inbox. This time the attackers emailed her pretending to be one of the company suppliers from the spreadsheet. The email read:
We expected payment of our invoice for £70,000 last week but as of yet we have received no payment. Unfortunately if we don’t receive the money today we will have to cancel the order that is due for delivery.”
In a panic Miranda checked the online banking again. It looked like the invoice had been paid. She was confused, why had that payment failed? She checked her trusted Excel spreadsheet to ensure the right account number had been used. To her horror the details didn’t match. “I’ve sent the payment to the wrong account” she thought.
Feeling embarrassed Miranda quickly replied to the “supplier” stating that she would pay the invoice immediately and she was ever so sorry for the mix up.
She did so, and the attackers got paid the supplier invoice. She never knew the reason the details didn't match was because the attackers had changed the bank account on the spreadsheet!
To make matters worse, as Miranda had added the attacker’s account as a new payee and the attackers knew the online banking login, they were able to transfer a further £82,000 out of the company account.
What can we learn?
As in many cases a series of mistakes contributed to the final catastrophic and easily preventable outcome.
The first mistake was opening a an unexpected email with an attachment that should never have come to her. She works in finance not human resources.
Second, Miranda didn’t report the suspicious C.V to her I.T team. This should be company policy - make sure staff know who to report to.
Get staff to stop and think before they act: If Miranda had paused instead of panicked she may have been suspicious of the email and the level of urgency contained within it. She should have called the supplier on the phone to check that the email complaint was actually from them.
Have a 4-eyes policy on payments: This would have meant that the attackers couldn’t have unilaterally transferred the money out of the account. Speak to your bank about setting this up.
With the exception of the network not detecting the trojan, all the errors in this case were human, the result of highly effective, fine-tuned social engineering tactics. Many of these things can be prevented with good quality face-to-face training for staff. We provide GCHQ certified social engineering training to give your staff the confidence to spot and stop attacks such as this.