Social Engineering: Exploiting CUs’ Service Culture

By Joseph Kirkpatrick

Phishing attacks are a common threat against credit unions and their members. According to the Anti-Phishing Working Group, there were more than 48,000 reports of phishing incidents during the last quarter of 2005. During this time frame, more than 16,000 phishing sites were discovered, 89.3% of which targeted the financial services sector.

Why do these schemes continue to proliferate? Almost all phishing attacks use elements of social engineering. Social engineering techniques manipulate emotions to elicit the desired response—the disclosure of confidential information.

According to the SANS Institute, social engineering is a hacker's use of psychological tricks on legitimate computer system users to obtain information needed to gain access to the system. Human nature falls victim to these attacks, which use trust, fear, kindness, and greed as emotional manipulators.

A widely reported phishing scheme involved consumers receiving fraudulent e-mails claiming to be from the National Credit Union Administration. Awareness and education measures must impress upon everyone the need to confirm the validity of information requests before submitting personal information. Fraudsters rely on consumers’ immediate reactions to these attacks.

Criminals also use social engineering techniques against credit union employees. Credit unions educate members about the phishing threat, but some neglect educating and training employees on the issue. Will an employee share internal information with an unauthorized source? How do they verify the identity of whom they’re speaking with on the phone? Is the e-mail correspondence from members what it seems to be?

Credit unions face unique social engineering threats. The credit union environment is built on community, trust, and member service. Too often, malicious outsiders can exploit this environment.

Boost Employees’ Awareness Spotlight news items and case studies to develop employee awareness. The SANS Institute has a free newsletter which reports on security breaches and is ideal to share with employees. Train employees on the categories of data (public, internal, confidential) and teach them to verify any request for information under their control. Give employees a clear escalation policy or method to report any suspicious activity, even anonymously.

For example, if a credit union serves a particular industry or location, terminology is readily available for the social engineer to assume the identity of someone “in the club” to build trust and prey on the kindness of a helpful employee when inquiring about credit union procedures. Armed with seemingly innocuous information, the intruder can talk the talk while posing as a legitimate member. Such criminals often use fear and kindness tactics to convince employees to bypass proper authentication to help a member during an emergency.

Even more frightening, the social engineer will use the fear and trust factors to pose as a vendor, explaining a crisis and asking for the employee’s login credentials or other sensitive information. The element of greed is used in malicious e-mails promising some benefit for clicking on a link or filling out a survey that provides the mechanism for downloading spyware, such as key loggers and remote control utilities.

Employees can succumb to social engineering threats as often as members can fall prey to phishing schemes. Creating awareness and training employees how to react to these scenarios are just as critical in today’s information security environment as network security is for the institution’s technological infrastructure.

Joseph Kirkpatrick is president of RavenEye, a Tampa, Fla.-based provider of information security and technology auditing services for credit unions. Contact him at 888-563-7221.