How fraudsters use social engineering webinar
Hello everyone, and welcome to KeyBank's annual fraud webinar in recognition of cybersecurity awareness month, so welcome everyone. Today we're gonna be talking about how fraudsters are using social engineering, which is a growing trend that I know a lot of us have been seeing in the headlines. I'm really happy today to be joined by two leading cybersecurity expert, Pat Gannon and Costa Petros. My name is Carol Wang. I lead Commercial Payments here at KeyBank in the Eastern region, as well as our solution engineering team for the enterprise. I'm based in New York city. And I'm very happy to be here today with you both. I'd like to introduce Pat Gannon. He leads our Information Security Center, which is also our Cyber Defense Center here at the Bank. He concentrates not only on security operations, but as well as Threat Intelligence and Threat Hunting. Pat's been at the bank for over 10 years and he's also a former law enforcement officer. So thank you for being here.
Thank you, it's a pleasure to be here.
Thanks Pat. Next I'd like to introduce Costa Petros. He is a leading Security Consultant at TrustedSec, a full service information security company who has partnered with Key for many, many years. And they're really at the forefront of attack simulations to really help organizations and their readiness to deal with fraud and cybersecurity. Costa has been in the industry, both IT and information security for over 20 years. And what you were looking hear from Costa today is he's effectively a professional hacker, right? I can say that, right? And so what he does is he works with companies to see how ready they really are. And so you're gonna hear quite a lot of profound insight today from Costa as well. Pat, I wanted to first ask you a little bit about, maybe you could share with our clients, you know, the world of fraud is growing as we know, the ways that fraudsters are infiltrating companies is also growing. Why do we choose social engineering today to focus on at the bank? There are a lot of other things that are out there, ransomware we hear, you know, physical penetration. So why do we choose social engineering?
I think KeyBank, like a lot of financial institutions are just seeing a growing uptick in the use of social engineering to target our clients. And we're gonna talk today about some specific examples that are targeting clients and how clients are losing money, significant dollar amounts due to fraud because they're not taking the right steps to protect themselves. So we're gonna make you aware of the attacks that are going on today and give you the tools to help protect yourself to prevent that from happening.
That's great, thanks. And I just wanted to share, you know, even as we were getting ready for this session, you know, some of the headlines that I was coming across and we talked about earlier were even things like social engineering being at the reason why a lot of attacks have been successful. So whether it's the headlines, most of us have maybe I've heard on first energy or even, I think Microsoft has recently made an announcement, right. Costa, that, do you wanna talk a little bit that as an example?
Absolutely so, I'm sure everyone is aware of the SolarWind attack that happened recently. Microsoft just released a study that the same group that attack SolarWinds is also attacking other IT service providers. And one of the main ways that they are attacking is through social engineering.
Yeah, okay, so very important topic today. So I think we'd be great if maybe we could talk a little bit about how do we define social engineering? What is it, what does it look like? I mean, just to give our clients a sense of how to think about that.
So social engineering, in a sense, just like any kind of hacking when you define hacking is basically means getting something to do something that is not designed to. So when you think of social engineering, it's getting someone to do something that they're not supposed to be doing through the social aspect, whether it's sending them a text message, sending them an email, actually asking them for something, coercing them into giving you something that they shouldn't be, something in the social aspect. So what you're seeing on the slide right now, this is from the National Institute of Standards and Technology. And this is how they're defining social engineering. It could be as simple as tricking someone to revealing information or triggering someone to click on a link or open an email or something of that sort.
Okay, so something that we definitely all can relate to, that we do in our daily lives and obviously social engineering fraud happens in our personal lives. We wanna spend a little time talking about how that impacts us in our corporate lives and the businesses that we run. So maybe if we go to the next page, you could give us a little bit also background on as it relates to our clients, companies and the business that they run, how they can think about the different ways that social engineering can take place.
Absolutely, so I am a penetration tester, and I specialize in social engineering. What that basically means I'm not per se, a professional hacker. I am a white hat hacker where I only do this unless I have permission. There's a big difference. You know, a professional hacker actually does it for monetary gain or malicious ways to do it, whether it's taken down someone's network or something of that sort. So my main role is I trust attack is a penetration tester. So basically, what I'm doing is I'm trying to find vulnerabilities in a network and try to exploit those vulnerabilities to gain access to sensitive information, whether that be healthcare information of clients, credit card numbers, bank account numbers, proprietary information. If it's a chemical company, chemical secrets, recipes, that kind of stuff, anything that could cause harm to the client, my client or the client's clients. So social engineering, like I said earlier, that could basically be email-based phishing, phone-based phishing, text-based phishing, anything in the social aspect to get someone to do something and are suppose to. In turn, hand-in-hand kind of a mix of the two is a physical penetration testing where I try to physically break into a building to steal secrets, whether that be document on a printer or getting into a file cabinet, into a network closet, plugin a rogue device to gain access to the network. This is a physical attack, but is also, there's a lot of social engineering used in it. I need to social engineer past the front guard or get through the front door. If someone questions me while I'm on the premise, I need to convince them that I'm part of IT or HR, or let's say a fireman trying to check.
So basically, you're saying as you are posing as a hacker or you're attempting to be at what a hacker would do, simulate, what they would do. Social engineering is really at the, is always what component of how they actually commit the fraud, it sounds like.
It's absolutely big
So a lot of it, you're trying, a lot of hacking it's you're trying to trick something to do something. And when it comes to humans, you're exploiting the human factor. You're trying to get them to do something that they shouldn't be doing to expose secrets. Sometimes you don't think it's important, but it kind of snowballs into something much larger. Sometimes it's just so you don't question me and I can do what I need to do.
Great, Pat, maybe there's some examples you have in your own experience when interacting with our clients, that kind of bring these examples to life. And I know we, I know you probably have a couple of exams.
Yeah, we do in today's presentation, we're gonna provide specific examples of how some of the different social engineering attacks that our clients are facing. And we also have examples specific to some of the methodologies that Costa uses in his testing. Before that, we will speak to the impact of social engineering and Carol, I think this gets to your point earlier about how frequently it's used and we're trying to get to why do they go to social engineering? And this graph is a good example of that. This is from Verizon's Data Breach Investigations Report. So Verizon does incident response. They get called out to different companies to assist after an incident. And they compile statistics afterwards, put out an annual report. And this content is from that document. What's really eye-opening here, the difference between the two graphs, the graph on the left is a breach. So that is a successful attack. They're able to compromise the network and oftentimes exfiltrate data. And the right it's just an incident. So it may or may not have been a successful compromise, but there's two things that sort of stand out here. Number one, when there's a breach, social engineering is predominantly used. So looking at that left-hand graph, it's sort of the go-to. And in my experience at KeyBank in defending our network, when we engage teams like in companies like TrustedSec can bring cost in to test our defenses, we'll oftentimes see them, you know, try to get through the network, look for different vulnerabilities, different technical hacks. But oftentimes when all else fails, social engineering will be the go-to and that's evident on the right. So these are attacks that may or may not have been successful. And what's really stands out here with those top two attacks, a denial of service, which is flooding your network with traffic to try to disrupt services and Basic Web Application Attacks. There's one control that is effective in mitigating those attacks. It's a web application firewall when all else fails, you've got that social engineering. And if you have 500 employees, that's 500 people waiting to open the door for you as Costa just described. So it really is that sort of go-to method for a lot of these hacks.
It's a little bit like, you're kind of saying, it's the harder one to protect against in some ways, because for the other ones that our service application attacks, you can almost put in a program, but social engineering is interacting with other people or their employees, right. And so that's, is that kind of?.
Yeah, absolutely, yeah I think, you know, there's a saying a lot of times people will say that employees are kind of that a weakest link and well, we're here today is really to turn them into our strongest allies because we can through education awareness and with our clients as well, letting them know what to look out for and giving them those examples will help detect and prevent those attacks and prevent it from happening to others as well.
Absolutely, great. And then Costa, from your perspective, again, as you're looking at other organizations, maybe you could tell us a little bit about how prevalent you feel like social engineering? You know, Pat talked about it a little bit, but maybe from your perspective.
So when I act as a hacker, there's a couple of ways to look at it. So I can either sit down and take a look at the applications, what security protocols controls are in place and try to bypass those or get the application or the network to do something that is not designed to do, or I could just ask someone to do something for me. There's been a lot of cases where like, for instance, target was breached a year or two ago, they were breached through one of their third-party providers. And that person was social engineer to gain access to that network and then got into target's network. So it's a lot easier because there is the human factor of it. People wanna be nice, they wanna help. And when you look at this graph right here, what's very interesting, this graph, as well as from the Verizon Breach Investigations Report, social engineering in pretty much all the stages of an attack is used. Predominantly, in the infiltrate, which is the first step. Like for instance, if I want to gain access to the network, I'm gonna send you an email, coerce you to click on it. And then at that point, I could potentially get execution code on . And that gives me a foot into the door, into the network. And you can see that through the whole stage here, lateral movement, as I'm moving from your computer to the next one, I could potentially use your email without your permission to send it to someone else. That's social engineering, I'm trying to coerce someone through social aspect to do something that they're not supposed to. So social engineering can be used throughout all the stages here. And that's what Verizon is finding out.
Okay, that's, I mean, when I imagine that a lot of us as we hear this, we think okay, if social engineering, which is the largest human element where that's the factor, and of course we as humans, we have our tendencies. It seems, how do we sort of think about that to defend about that? Hopefully, you're gonna give us some, some good best practices, right? 'Cause I think we've been stressing how prevalent it is and how easy it is to kind of define social engineering happens all the time and much more than we probably all then we all realize.
Well, it's kind of hard when you think about it, you know, like you said, you're from New York, New York people kind of just do their business. They go to the office, they don't open doors.
We think we can't be social engineer, is that not true?
You definitely can't be. I mean, I've done work in New York where I have jumped over men traps that beep like crazy. And because of the New Yorker kind of mindset, they don't even bother with the alarm. They don't even, they saw me jump over it. They heard me but tripped the alarm 'cause they just kind of went on with their bills.
That's true, and you can rely on that as a cyber criminal, you can kind of rely on that kind of knowing that that's how the New Yorkers might tend to act or right as a culture.
Absolutely. That makes a lot of sense. So Pat, I know we actually have quite a number of also examples of our actual clients who have through social engineering actually been compromised. And then you can talk a little bit about consequences as we heard a little bit about earlier in the page, it would be great to share some examples.
Yeah, unfortunately, I've been on the phone calls with clients where they're realizing the impact of fraud that's occurred through examples that we're gonna talk through today. And I think what our clients really need to be aware of is that it's, they're not coming for a thousand bucks here, 5,000 there, the impact we're seeing can be catastrophic to businesses, they're coming for whatever they can get their hands on. And being on those calls, working with those clients, as you know, trying to recover those funds, it was very, just really heartbreaking to see as the realization sunk in, they may not be able to employ, make payroll that Friday and just all the difficulties that are gonna have. And the attack that we're sharing on the slide now is unfortunately very common for KeyBank and across our industry where fraudsters will attempt to social engineer clients to logging into the wrong website as phishing site, or spoof site, that's mimicking our brand and we'll provide some examples of what these sites look like shortly, but they'll get the clients to these sites, either through phishing where you'll receive an email, it'll appear to come from Key. It'll say that your account's been locked or there's fraud on your account, you need to act immediately. And there'll be a link there that when you click will take you to a site that looks like KeyNavigator or key.com. And when you go to log into that site and provide those credentials in reality, you're giving them to the bad guy and we've had recent incidents where Google ads were used instead of phishing emails to a client, would Google KeyNavigator, the first line. And we'll show some examples very soon. First-line would show a website that was an ad and was not KeyNavigator. And they'd go and give up their credentials. The login would ask for a phone number, they would provide it. And as they were, they see a screen where they're waiting will tell them their account was being updated. They'd receive a phone call from KeyBank, you know, from the fraudster pretending to be Key and asking to authenticate them. They say, they're gonna send you a code. We'll send you a code, please read it back to me. So I know it's you. And in reality, the fraudster would take that code and it was using it to set up fraudulent wires and money movement. So it's unfortunately very common scheme, but people do fall for it. And we'll talk shortly about some of the ways that we'll provide those examples and talk about how to protect yourself.
Okay, great. So let's go to the next page. And I think Costa, you're gonna show us, I mean, we've been talking about how easy it is to social engineer and sort of not even realize that it's being used to potentially commit a crime, but you're gonna talk a little about how easy it really is to social engineer?
Absolutely, and I'll give you some examples. So on this slide, Jimmy Kimmel did an actual, they send a reporter down on the street and they started asking people questions just to kind of figure out how easy is it to social engineer. So we're gonna play this video and then we'll discuss it right after.
We're talking about cybersecurity today and how safe people's passwords are. What is one of your online passwords currently?
It is my dog's name and the year I graduated from high school.
What kind of dog do you have? I have a 12 Papillon.
And what's his name?
Jamison. And where did you go to school?
I went to school back in Greensburg, Pennsylvania.
Hempfield Area Senior High School.
Wow, when did you graduate?
It's like my cat's name. And then just like a random number.
Okay, is if you had this cat for awhile?
Yeah, she's my childhood pet.
And what's her name?
Her name is Jolie.
Jolie? So like a password of your was Jolie and then a number? Like number one?
Like by birthday.
Oh, when is your birthday?
Oh, nice. And what year were you born?
Oh, great. So Jolie, 6, 12, 95?
So you mean to give my password right now? No, I cannot do that.
But we all wanna know what it is so we can tell you if it's strong or not.
Oh, my goodness, let me think, okay. One is Tel Aviv Yeah, 468, and then Israel. It's only three, but it's, you know, for me it's strong enough.
Gemma123, spelled GEMMA.
Well, most of them are Italian.
Yeah, so like.
Like what's a good Italian password?
My grandma's name.
What's your grandma's name?
Maria? So Maria is your password.
Oh yeah, now you know my password?
Well, the important thing is . Terrible lesson.
So let's discuss that a little bit.
Okay . That's was pretty easy.
Sometimes it's easy. I'm sure they've got it. They've talked to a lot of people that said, no, I'm not gonna help you, I'm not gonna but you try a hundred people, 10% are gonna give you their password. That's usually . Now we're looking at what the email phishing. 10 people, 10% of the targets usually enter their credentials. What's very interesting in this video is that, in the middle with a gentlemen from Tel Aviv. I'm assuming he's from Tel Aviv. His password has Tel Aviv in it. People like to use things that they relate to. So when it comes to penetration testing hacking, white hat hacking, you wanna find the link. You wanna do your research and really get to know the person. And you can get these little tidbits of things that they use in their passwords or routines that they do going into the office, like right here, for instance, this kind of breaks down. Why it's such a problem that people get social engineer? We are humans, we do want to help, our minds are doing a hundred things per second. As you can see from the first meme, there's the employee in the middle, there's work behind them and they're distracted by anything else. It could be, you know, their kids have soccer or they just received a new assignment that's overwhelming. Maybe they're just tired because they have a newborn and they're up all night. I mean, that's the human factor of it. It's very, there's no rhyme or reason to it. It's just sometimes people wanna help or their minds just not there. I love it when I break into buildings and people come up and they ask me, they're like, excuse me, are you allowed here? And I'm like, yeah, I'm allowed here. And they're like, okay.
Just like the second name. I don't know if this is legitimate. And right now I'm just kind of too afraid to ask.
So basically, even if someone has an initial flag in their minds, as long as the potential criminal continues down the path, they know they're not gonna get a lot of pushback. Most are gonna continue to depend on human nature.
In this bottom meme really speaks. It hits close to home is one of my teams is a Security Operation Center. And we have a mailbox where if a client has an email, they're not sure if it's a phishing email or not. They can send it to email@example.com and we'll review it just to validate that it's not malicious. And there are many times where we'll see these phishing emails being reported and the client will say, I clicked the link and I entered my credentials, but I'm not sure. And that's where that meme, I think people start to realize they might've screwed up. And it's just sort of this delayed reaction. Whether I go, maybe I should do something about it, but we see that quite, quite frequently.
Okay, well, let's definitely keep continuing on other ways about what and how social engineering looks like. I know we definitely wanna get to how we could protect against it. You know, listening to our instincts sounds like it was probably gonna be one of them. So go ahead, Costa.
So what hacking does not look like? Let's start there.
When you watch movies or TV shows, that's the whole Hollywood aspect of it. They try to make it over the top. People who do hack, they don't see ones and zeros. They don't see the world as bites flying around. When we do look at applications, we do kind of go down sometimes. So that level where everyone knows that data is either a one or zero, but we do not see files stored in like a downtown city landscape. If you've been hacked, you don't get a warning saying you've been hacked. You might get something that says you've been ransomwared now pay me money. But you know, when you get attacked, you don't actually know that you're being attacked. So in the next slide, we're gonna take a look at a video. This is from NCIS and this will kind of go over exactly what that means where you don't know that. This goes over the top and it shows you what you're not gonna see. So let's go ahead and look at that.
No way, I'm getting hacked. No, no, this is major. They've already burned through the NCIS public firewall.
We'll isolate the note in, dump them on the other side of the router.
I'm trying, it's moving too fast.
I doubt it's not good. You're using no connection database server.
I can't, the point attack. He or she is only going after my machine. It's not possible, this is DoD level 9 encryption. It would take months to get that.
What is that video game?
No, Tony, you were getting hacked. the entire answer has now work is next.
I can't stop him, do something here.
I've never seen code like this.
We can go .
I didn't do anything, I thought you did. No.
Carol, has your computer ever done that to you?
I had never, I can safely say never.
Pat, if your computer did that, could you be able to fix what's going on with all those screens popped around?
I would not, but I do like the part and the NCIS is fond of it of a third hand on the keyboard partner will reach over to help her.
Like hey, what's going on here? Yeah, that's how what it looks like.
That only happens when people forget to do the double mute on zoom, that from the third hand, okay.
But that never happens like your computer just acts kind of normal. It might be a little slower because it's doing some things in the backend. I've actually compromised some systems. And you know, I laid her on her through the incident response teams that, you know, the person kind of complained that it was slow and it kind of did some things. And you know, I had to dial back some things just to make sure that, you know, they can still function. I want to be as an attacker. I wanna be as quiet as possible. I don't want you to catch me. In a lot of the recent breaches, the attacker gained a foothold into the network and send was quiet and did reconnaissance. What's important, what's not, where are the sensitive systems? They collect all that data. They plan their attack and then they go in for the . That's usually what hacking looks like. You have no clue that they're in there. They might be doing some things. And that's where as a corporation, you need to be able to detect it and detect it fast.
In order for you to respond to it.
That's gonna be an important part too. I know that detection, right? Because it doesn't happen instantaneously in a big rush the way we just saw, that's not generally how it happens is the message, okay.
So here's some, some video examples. This was some of my teammates, they're actually doing some physical penetration testing. We'll take a look at the first video and then we'll talk that through.
Hello, how are you? You know my self?
Okay, so Carol, who was the hacker there?
It was the delivery person, the balloon person?
Well, they were both hacker. The one was created a diversion of large balloons kind of block the side of the receptionist. The second attacker goes in, walks right into the office and then they're walking around. So for one, the receptionist was distracted. That's the human factor, I didn't see the second person. For two, there was another lady in the doorway who kind of took a look and said, hey, who's the balloons for?
And the attacker are just kind of walked past her and went by, no questions asked. Let's take a look at the second one. The second one is actually very interesting because the lady in this video, she actually does the right thing, but then let this slip away from her. So let's go ahead and watch that.
Good, how are you?
From the IT department.
Okay, what's your name?
Nice, fine. Better safe than sorry.
Okay, so in this video she did the right thing of saying, excuse me, why you follow me through the store? That's called tailgating. She approached him, could I see some credentials? He produced some credentials. They were fraudulent credentials, while she also let him through. She just accepted what credentials were. There were legitimate. If you're uncomfortable, I think she did the right thing in making sure that you question people that don't seem like they should be there. If you're not comfortable in approaching people, you should definitely go through your security channels. Make sure you're contacting either a building manager or some sort of security line that your corporation has set up. But what you didn't see in this video is that, and I kinda cut it out because it's a very long video. There's a kind of playing around. But that hallway that my colleague went down later on in the video, he actually got into that room by bypassing the lock. And that was the server room. So by entering the building, he was questioned. She let him go, he ended up getting into the server.
So both these videos actually are real videos that you took? I mean, these offices look like any of our offices and our client's offices, right. Which makes them really very realistic for us. I mean, these are offices that you actually were asked to test how secure that they were, is that right?
That is correct. So it's a very fine process where we triple-check and quadruple-check. Is this the location that you want us to check? We have to have approval. We even go as far as like making sure that, that signed letter that says this location, these people are tested and gets notarized. 'Cause it's that important? Let's say you mistake a street number. Now instead of testing your building, testing the person next door.
And how easy is it for you usually when you engage in these projects that you can able, you know, the two video examples, how is it, does it happen pretty much, you're able to penetrate almost most of the time?
Pretty much, I've gone through armed gates, like we're security guards that are armed, you know, making sure people are badging in. I've got through there using a couple dozen donuts.
All depending on your manager?
I have a badge hanging, fraudulent badge, sometimes it's just a white piece of paper, just kind of hanging in the badge. People just assume that it's the badge flipped upside down and they just let me in. Sometimes I've used empty paper boxes. I come in acting like it's all heavy and oh, can you hold the door for me? And they do. You don't, sometimes I see a bay door open I just walk into it. I've gone through service elevators. I've gone through and people see me. Sometimes they ask, a social engineer my way out of it.
And I think it's speaks to a point we brought up on an earlier slide about how, when we were talking about how easy it is to social engineer people and how we're hard-coded to help? And one of the things we teach our employees at Key is, you know, don't be afraid to be rude, be assertive. And it's, you know, it's for our safety and for the safety of our clients. That's second video reminds me of a pen test I did out on the East Coast where I met the nicest lady that I've ever worked with. Their customer service was outstanding, but she would not give me an inch, I had a fake badge. I knew some names, I'd done some research ahead of time. And she kept escalating and escalating. And she said, that's great, sweetie. I'm gonna help you out as much as I can. I just need to validate that you are allowed to be here and she couldn't get ahold of people and kept calling up and up the chain. We were two people away from the CEO before I was caught.
Okay, so that's like the opposite? That's the way to still kind of be polite, which is our nature, but at the same time, validate, protect what your, you know, what you're supposed to be doing? And that's was best example of how to kind of accomplish both, right?
Okay, that's great. You have one more example for us, I think?
Yeah, so in this slide here, this is in the Hollywood version of what a hack actually looks like. This is the most legitimate attack that I've seen in Hollywood. There's a lot of scenes that are like this, where it is tried and true, but this really replicates what it actually looks like. So let's go ahead and take a look at that.
So you're right? Sweet!
So to just kind of recap that if you haven't seen Ocean's Eight, the motive behind the attack was to understand and gain access to the camera systems because they wanted to steal a jewel Douglas. In modern day attacks, there's really not that much of the theft like that, where they're trying to gain control of the systems and try to steal one thing. Usually, it's data that they can sell on the black market that, you know, credit card numbers, healthcare information, trade secrets, that kind of stuff. What's really realistic about this is the stages of the attack. There's always the reconnaissance. You wanna gain as much information about the person as possible. You wanna be able to relate with them, create something that will trick them into doing something that they shouldn't be doing and run some code that will gain you, give you access to their system. And then at that point, you can exfiltrate what you need to ask for.
It goes back a little bit to what you were saying earlier about how it happens over time. It happens sometimes very slowly over time, right? There's a brand new stages and it's not something instantaneous. I think it's very much.
Right. So when you think about it, so the graph on the left-hand side, this is from the penetration testers execution standard. Me as an ethical hacker, this is what I follow. These are the stages. When I go to a client, what I'm doing throughout the entire, the entirety of the engagement. First as a pre-engagement, we got to where we need to make sure what I'm testing is approved and you own it. There's no other third-party providers that need, you know, written authorization that I'm doing the test. Intelligence Gathering is one of the most important one. In social engineering, I need to make sure that I understand the most about the person that I can relate to them, gain trust, and get them to do something. So I'm gonna do as much digging as I can. Pat, if you need to figure out where someone's working, where do you go?
LinkedIn. I would go to LinkedIn. Those are potential client, potential employees that work at a corporation that I can enumerate and then, you know, go to something like hunter.io or one of those professional linking websites and say, what's the email format? And at that point, I know sometimes I have some targets at the company that.
You basically say, you could take the names from LinkedIn of a people, of their employees, and then figure out the actual work, email address with other sites and piece those two together, send that employee an email, a phishing email.
I can send it to a hundred and hopefully hoping that 10 will enter their credentials or run something that they shouldn't, you know.
And then do you gain information there that you can use for a more targeted phish so you don't have to rely on the Nigerian, you know prince scam popping up in a mailbox, but can you gather other data that you can use then to make it more believable?
Yeah, so when I do phishing attacks, I try to figure out what's the best thing that's relevant at the time. The last couple years has provided me a lot of topics to social engineer, whether it's working from home or you know, healthcare related, that kind of stuff. But usually I look at like news sites, blogs, like news pages on a corporation, sometimes documents that are hosted on the corporation's website. I can sometimes get usernames in there. I can sometimes get the software that they're using. Sometimes I can get healthcare information. I've gotten 401k perspectives internal for the benefits, I've used that. Anything that I can do to relate to the employee to get them to do something that they shouldn't be doing.
Right, Pat, do you have any examples also where again, where we've actually seen some of our clients been compromised as really? I mean, I know that this is the one you mentioned earlier. I think this is unfortunately a very common example, but one that we should talk about.
Yeah, so this is an example that's taken from an actual Google search where a client had searched for KeyNavigator. And these were the results that were returned. Spoiler Alert A is the correct answer. If you can see the URL, that website address next to the ad up top, that's not for a key.com domain. So that was not our site. And this is exactly what the client saw when and clicked on that link and were taken to a page that looked just like KeyNavigator following that the account takeover that I had described. And on the next page, we'll see some examples of how quickly they'll stand these sites up. We do have a service that will scour the internet, looking for these sites and taking them down as soon as we can find them. But the threat actors can stand them up very, very quickly. And oftentimes we'll see, you know, multitudes a day being created. And on the right-hand side is an example of just how difficult it can be to detect that it is a not a KeyBank site. In that example, they switched the I with the G and moved a period a few places and took, it would take you somewhere completely different than KeyBank. And this was a site that the client would see while they were waiting. You know, thought they were waiting to log in. And in reality, the fraudster had already logged in and was in the process of setting up that wire, the client would receive a message. The message would say, we will never ask you for this passcode and they we're still social engineered into providing the passcode to the fraudster, which allowed money to transfer to be set up.
Right, right, you're right 'cause that's an example we do always tell our clients and all of our emails and all of our communications that, you know, we would never, KeyBank would never ask. But in this case, again, social engineering is so strong that human nature, unfortunately, this ended up into a poor outcome. So this is what I know we really wanna understand better. So, you know, as we it's clear that it's very pervasive, it's hard to detect. It's only the beginning of multiple steps in terms of how an attack might end up happening into actual fraud. So please tell us a little bit about how we could defend ourselves and some of the best practices. And, you know, as you as both as a cybersecurity experts, what do you like to see, you know, our clients do?
Absolutely, so first thing, just like Pat said earlier, validate, validate, validate, validate, validate, validate, validate. As a person, if someone's calling you, you wanna make sure they are who they are. You don't just believe that, you know, let's say, I call you as Pat, are you going to believe me? He's gonna be like, hey Pat. Yeah, we're doing this webinar later, let's talk about this. You wanna make sure they are who they are. You wanna make sure that the phone number that's calling you is at person.
When you say, when you say to val, what are some ways that we could actually validate? So if I'm not sure the phone number, if I don't recognize the phone number, what should I do?
You can say, hold on, I'm busy. Let me call you back.
Hang up, right, okay.
And use the number that you know.
Okay, that's a great example.
Yeah, Key we recommend, you know, using the phone book, the directory look up who the person is again, it doesn't feel good to do that sometimes, you know, it is to be assertive, but it's, we have a culture where that's accepted and expected that we'd go and validate that those, you know, use what information we have out of band, we'll call it. You can use the number you have to text or just another method to ensure that is who you're dealing with.
Okay, great, I think this last bullet too on validation is really interesting on links. If you could speak to that one a little bit of hovering. I don't know a lot of people don't seem so easy, but I don't know that a lot of people do this.
Yeah, so this is the same as the previous slides. It just kind of pointed out like an actual email form. So the first one, the Home Depot wanna pulled it out of my Gmail spam folder. I was like, oh, this is a prime example right here. Someone says, hey, take this Home Depot survey, but you need to look at where it was sent from, the actual email address. So the first part of the email address before the ad is the identifier of the person. After is the domain name, who owns that domain. That is definitely not Home Depot. It's just a random lead generated name. And they're trying to get you to just click on things. The second one, this one I actually googled and found this one is saying, it's from the Russian mafia, but the context of the email is not the Russian mafia. So ways to detect that is in an email, make sure you're looking at the email name in, if you get a link sent to you, make sure you hover your arrow over that link. And then your mail program will actually show you the link either right at the arrow or down in the bottom left. And then you can see where the actual domain name is.
That's really helpful. I mean, so these are all things that I think we could all relate to in our personal lives. And certainly again, even in our professional lives, as we've learned today in entry point of social engineering, again on the human element side, are there things that corporations that I know you can speak to, that they can also kind of do as a best practice to kind of combat the human element and the social engineering aspects?
It's layers of controls. I think at Key we start with awareness and we talked about, you know, we like to look at employees as our last line of defense to detect these phishing emails. If a phishing email makes it to an employee mailbox, it means it made it pass literally millions of dollars of controls that are there to stop it. And that employees got the awareness to recognize it and the method to report it so that we can react to it and put place blocks and make sure no one else got, and no one clicked on any of the links and there was no impact. So it is about different layers of controls from the employee, all the way to email gateways that will send back emails and make sure they're not malware internet proxies that will make sure when you're clicking on that link, you're not going to a malicious site. Just number of layers. Anything I missed there?
No, so to talk a little bit further at TrustedSec, we've got the team that actually goes through and helps the defenders of corporations kind of fine tune all the millions of dollars of equipment. So as they can actually stop or catch these bad guys. So on the slide they live our, we call them the blue team. They live by the three D's, which is deflect, detect and deter. You wanna deflect any attacks. So if an attack comes in, you wanna catch it and stop it. If the attack does go through, you wanna make sure that you can detect it and react to it. And thirdly, you wanna deter it. So in social engineering, a good way of deterring the text is making sure that if it's physically like someone's attacking the building physically, you wanna make sure that people are asking the questions, you don't belong here, can you badge into the door? Where is your ID? You wanna make sure that your employees are doing that. That's a big deterrent. If I see that's happening at a building, I'm less likely going to attack it, email phishing. If I know that the employees are constantly reporting email phishing, then I might not attack them. You know, so the three D's are very big to make sure that you're using security controls to secure, you know, your network and your sensitive data.
That's great, those are really good best practices. And for those out there that are listening, if there are questions you have specifically on those tools, please send them into the chat. So Pat, I know you're gonna talk a little bit about what to do if unfortunately, and a little bit about what the bank is doing to help our clients, you know, protect themselves?
Yeah, unfortunately time is very much of the essence. If you feel you've been impacted by fraud, we ask you call your payment advisor, your relationship manager, your banker right away. The faster that we can get the recall, like take steps to protect your account will cause online access, will recall any fraudulent transactions or attempt to, and the faster we can move the better, you know, ideally we're catching it before it leaves the bank. And because it can be an extensive process if it does manage to leave. But first thing, let us know and also file a complaint with IC3.gov. That's the internet tracking center, sorry. And that it helps engage FBI sooner to help those that recall process. And again, the quicker, the better. And then also as an individual, if you're individually impacted there, we'll want to check credit reports, consider placing a credit freeze to prevent any additional damage.
And I know when that second one around IC3.gov, you know, we've hosted this webinar in some of the reunions more locally. And we, of course, KeyBank does partner with local law enforcement agencies, including the FBI. One of their recommendations that I think we'd like to share is that as a company, if you don't know who your local FBI office where they are, or local agent, you know, the FBI definitely encourages you to do that. And that's something that's a best practice they've asked us to share with our clients as well.
And I'd highly recommend that just as an incident responder for Key, it's one of the things that we've got a, you know, I have cell phone numbers of different agents here in the area, and it comes in handy when you need just, you know, to bounce something off for them, or they'll share information about some things that may be impacting other banks, and really just a great.
That just helps preparedness, right? You hope you don't need it, but you know, you wanna have that information, that's great.
And then as far as what Key's doing to protect you today, is part of that package, we're here to raise awareness, let's you know about social engineering and how you can recognize some of these specific attacks that are targeting your organization, such as the phishing and the malicious advertisements. We're also putting a lens on behavior where we had monitoring in place to detect the unusual transactions and keep a closer eye on high-risk segments. One of the things that is coming soon that I'm very proud of and anxious to get in our client's hands is an offering called IBM Trusteer, it's a product that we'll be offering the KeyNavigator clients at no charge that will protect against malware on clients' machines as well as social engineering. So if you fall for that link, even if you click the link. And one of the things that I think we've seen is, you know, when Costa is doing an engagement, he's only gotta be right once where, when you're getting attacked, you have to be right a 100% of the time. And you can't, you catch that employee on the wrong day. And it was just clicks that link a little bit too quickly. And it opens the door and Trusteer will intercept that and will identify that you think you're going to Key, but you're not. And we'll prevent you from becoming a victim. So that's coming soon and our clients should keep an eye out from their Relationship Managers and Payment Advisors.
Okay, that's great definitely. Okay, well, I think we certainly feel educated on the level of sophistication that fraudsters are using much more so than, you know, maybe even 10, 20 years ago. And then I think between social activities and you know, you mentioned a lot of the current events, it kind of makes it even easier for fraudsters it sounds like. We're gonna go to Q&A. I see that there's a question here from someone that asks, why doesn't KeyBank implement two factor authentication, it would mitigate a lot of these issues? That's coming from the audience.
Yeah, and unfortunately we do have some examples where even using that two factor there really aren't any silver bullets out there. One of those things that we're doing in, you may hear from your Relationship Manager or Payment Advisor about transmit, where we're setting up new, we call them journeys, authentication journeys, where it takes, we're trying to take the human out of the equation and rely on data. That's the telemetry that's created when you're logging in. So that it's very, very difficult to, for a threat actor to impersonate and it's impossible for a client to accidentally give it away. And that's where the transmit and that the controls there as well as Trusteer will be a big help in that area.
Okay, so that'll help on that front? Got it, but I think the message also is that it's not necessarily, it has its vulnerabilities as well, two factor, I'm gonna guess probably through social engineering as a .
Yeah, exactly, and that example where clients were receiving the passcode, the code told them, will never ask you for it, followed up by a phone call from someone pretending to be Key and asking for it. Okay, should a small business physically lock their servers behind a Key or some sort of controlled access? Yeah, this is a good question. You know, a lot of our, especially some of our smaller clients, they may not have, they might not feel like they need to, you know, so the question is how often is physical access compromise actually used in the real world? How can they assess that?
So it is, and this kind of hits home with me. My father had a small business and that's how he put his kids through college. There was a time where a lot of people would break into the building and steal things, whether it's, you know, it was cigarettes or, you know, go to the office, try to steal the saves, something of that sort. It was built into me to always be secure. When I was running around, playing in the house, as I ran out the door, I had to turn around and lock it. The front door was always locked. It really bothered me that as I was a kid running around the house, I could have gone in the front door because it was locked. But now that I'm an adult that kind of made me security minded that I have to always set the alarm when I leave my house, I have to make sure that my doors are locked. And it's the same thing with small businesses. You wanna make sure that your small business is as secure as you possibly can make it. Now, if someone really wants to get in, they're gonna get in. My father's store as soon as they broke all of the glass and we were placed in with laminated glass, they just stole a van and drove it right through the front door.
But that's longer time that they have to do.
It's a little harder, it made it more difficult. And I think you're saying that, you know, really the question related to the server is even as a small business don't underestimate, don't underestimate that, that is still something that criminals might want to see.
So back to the D's, you wanna deter. So if they see that everything is locked up, they might not go the extra step to steal a van and drive it through the door. You know, you wanna make sure that everything is out of sight, really locked up, make sure that nobody can get to it or knows where it's at. I mean, and it doesn't matter the size of the business. If it's a small shop or if it's a fortune 500 company. It really doesn't matter.
And I think what you're speaking to is something was on a site earlier around threat modeling where businesses have to identify, you know, what their risk is. Do they have intellectual property or research and development designs that a nation state may want or do they just have money and you know, wanna launch a ransomware attack that would encrypt their data and force them to pay a ransom to get it back? And there are companies like TrustedSec, that'll come out and help you perform these evaluations and identify where your risks are and then the appropriate controls.
So the next question, actually, and this is and I'm curious about the answer as well. I don't know, do I always trust the lock button in the URL? Do malicious websites are they able to have that lock?
They are, so that
Okay, so that is not a safe, does it make it safe?
It just indicates that it's encrypted, that it's the communications are signed and encrypted. So that's what we recommend our clients do type key.com. That's nice, simple if they get to the right place.
Okay, but the lock is, I guess a lot of pits, it's probably it's obviously a misperception. People perceive that to be somehow secure that lock.
So, to what Pat said is that, that shows that it's encrypted. That's kind of a different attack. That's not related to social engineering. If there's no lack there, then the password and username that you're entering into that site gets transmitted over the internet unencrypted so your plain text password exactly like you typed it in is getting sent over throughout the world's internet, just in plain text it's not encrypted. And that's what that lock, you know ensures. And it's not just the username and the password. Like let's say I go to key.com to check my banking balance, all of that information, my account numbers, my mortgage information, my statements, if that lock's not there, then all that information is getting transferred to the internet.
But the presence of a lock does not mean that it's not a malicious website is the takeaway. I think for most of us, which is very, it was definitely some new information for some of us. Can you speak to the best way to secure internal passwords and timeframes for users to change passwords? What are some best practices?
Yeah, I would say actually at Key, we use a password vault solution where I personally, I have one password that I know, I don't know the rest, it keeps track of them for me. And then I can do very long, very complex passwords and make them most importantly unique to each application. We see attacks where a website will get hacked. The threat actors will take that username and password and try to log in to KeyBank accounts. So if you're reusing that data, it gives them, we have other controls that kick in, but it gives them that headstart. So I would recommend a password vault.
Okay, anything about timeframes?
It does, there's actually some controversy over that because if you're forced to change, you pick easier passwords like spring01, spring02. So there's there, We do have expiration dates, but it's not very often.
Okay, so there's different schools of thought on that? Okay, so this is our last question, as the question is where can my company find additional information to stay up-to-date on threats?
I would first point you to key.com. We have a key.com/cybersecurity, where we will, if my team detects a specific phishing campaign where there's different verbiage or language that is being used, we'll put up alerts to let you know about the latest and then there's other advisories there as well.
Okay, great, and yeah. And that website URL is at the beginning of the presentation, but it's a key.com/cybersecurity again, for anybody who missed it. So that does it for us today. Pat and Costa, I wanna thank you for joining us today. Our clients, I wanna thank you for taking the time as well to create more awareness. We really appreciate it. If you have any questions, please don't hesitate to reach out to your Payment Advisor, your Relationship Manager, and have a great rest of your day, thank you.
In this informative and collaborative session, experts Patrick Gannon, Information Security Director from KeyBank and Costa Petros, Security Consultant from TrustedSec:
- Described how fraudsters use sophisticated manipulation techniques – or social engineering – to hack your devices and systems
- Walked through real-life scenarios to show how social engineering works
- Offered tools you can use to prepare your business, share with employees and help prevent an attack
For more information visit key.com/cybersecurity.