Social Engineering Scams: Cross-Tenant Impersonation Attacks, Voice Cloning Risks, and More
Social engineering scams are on the rise, and the financial damages are staggering. According to the FBI, in 2022 alone, business email compromise (BEC) scams resulted in approximately $2.7 billion in losses. The same report finds that BEC complaints tripled from the previous year, and the losses are 80x greater than those from ransomware. Often, hackers gain access to email accounts—and more—using sophisticated phishing attacks designed to steal passwords or cookies, as well as new techniques designed to bypass multi-factor authentication.
In this blog, we’ll explore the top social engineering scams and trends, including cross-tenant impersonation attacks, caller ID spoofing, voice cloning risks, and MFA bypass attacks. Then, we’ll dive into the details of BEC scams and share some strategies your organization can implement to reduce your risk.
What Are Cross-Tenant Impersonation Attacks?
Cross-tenant impersonation attacks are becoming increasingly prevalent. In fact, this type of social engineering scam is widely thought to be the cause of the recent MGM Resorts attack (watch this 13-minute video case study for more details). After the attackers compromised credentials, the next step in the MGM cross-tenant social engineering attack involved calling the IT service desk and convincing them to reset the compromised user’s credentials, including Multi-Factor Authentication (MFA), and registering the hacker's own devices as the authorized devices. Many reports say the attackers used the increasingly popular cross-tenant impersonation attack tactic and employes voice phishing or "vishing" to secure this access.
Once this crucial access was secured, the attackers then focused on Okta super administrators. Obtaining access to an Okta super administrator account provided the attackers with extensive privileges, including access to the Okta Vault, single sign-on services, and more.
At this time, the full extent of the MGM compromise has not been disclosed, however the attack reportedly caused losses of over $8 million per day while MGM was in the main stages of their recovery and has cost them over $100 million total.
The September MGM Resort incident was a large-scale example of this rising cross-tenant impersonation attack tactic and timing was not on MGM’s side. Shortly before the attack, Okta had just released a guidance document, Cross-Tenant Impersonation: Prevention and Detection, that could have been helpful if they had a little more time to incorporate new prevention strategies. Check it out for additional advice on how to defend against these scams.
The Rise of Caller ID Spoofing
Adding to the risk, cybercriminals are increasingly leveraging caller ID spoofing in order to make phone calls appear legitimate. Services such as SpoofCard are widely available and, for a fee, enable anyone to change their caller ID, the sound of their voice, and even the background audio of a call. Similar products are available on the dark web and are tailored to serve cybercriminals. “With this increased tactic of “spoofed” phone numbers it emphasizes the importance of leveraging two-factor or multi-factor authentication as an additional security layer,” cautioned the FBI in their latest report. “Procedures should be put in place to verify payments and purchase requests outside of e-mail communication and can include direct phone calls but to a known verified number and not relying on information or phone numbers included in the e-mail communication.”
New Risks of Voice Cloning
Voice cloning, powered by artificial intelligence, allows attackers to imitate someone's voice and only requires a short recording to create concerningly realistic results. Why is this a concern? You may have noticed that your bank or credit card company has a recorded message that you have been authenticated by your voice when you call. This voice spoofing technology can bypass these voice-based authentication systems, making it easier for attackers to impersonate people over the phone. This opens another way for attackers to bypass authentication for organizations and individuals.
Undermining Multi-Factor Authentication
As illustrated by the MGM Resorts case study, today’s attackers often use sophisticated social engineering scams to bypass multi-factor authentication. Another trend is the rise of MFA fatigue attacks, in which attackers flood the victim with MFA approval requests until they relent and grant access. Watch this video case study of the Uber breach to learn more about MFA fatigue attacks. This type of attack is not only annoying, but also effective in gaining unauthorized access. To mitigate these risks, your organization should train employees on proper MFA usage and stay updated on the latest security trends to counter such attacks.
A Popular Target for Attackers: Your Email Account
All too often, the attackers’ goal is to gain access to a victim’s email account. Business email compromise (BEC) is a social engineering scam in which attackers break into an organization's email account in order to steal money or obtain valuable data. The attackers often leverage weak passwords or phishing attacks to gain entry to a corporate email account and quietly search those emails looking for opportunities to defraud a victim. For example, they may send emails from a hacked account to customers telling them to make payments to a different account which the hackers control (often with the excuse that the company has switched to a new bank). Since the email comes from a trusted source, the unsuspecting customers send payments to the attacker’s account.
Common types of BEC scams include:
- Executive fraud
- Real estate transaction fraud
- Payroll redirects
- Vendor payment invoice fraud
- Billing fraud
- Attorney impersonation
These scams are not limited to specific industries, but a current trend is that hackers often target professional services, such as law firms and accountants.
Now, let's shift our focus to how organizations can reduce their risks of falling victim to social engineering scams.
5 Ways to Reduce Your Organization’s Risk of Social Engineering Scams
So how do you reduce your risk of a breach from social engineering attacks? Here are five strategies that can help:
- Use Modern Multi-Factor Authentication. Encourage the use of modern MFA methods such as authenticator apps or biometric authentication instead of relying on less secure options like SMS or email-based one-time passwords. Passwordless authentication using a mobile device or biometric is your best bet to enhance security, but any MFA is better than no MFA.
- Employee Training and Awareness. Invest in employee training and awareness programs to educate your team about the risks of social engineering scams. Teach them how to identify phishing emails, suspicious phone calls, and other common attack vectors. You should also regularly update employees on the latest security threats and best practices to keep them vigilant. Read our blog for a checklist of ways to optimize your social engineering training program.
- Strong Caller Verification. Organizations should implement robust caller verification processes and should NOT rely on only knowledge-based authentication. If call centers are used for customer interactions, ensure that callers have to use multiple methods to verify their identities. You should also use tools like Okta in conjunction with call centers authentication requirements for added security.
- Advanced Call Fraud Detection. Employ phone printing or similar technologies to analyze phone number origin, the device used for calling, and background noise during calls to try to make it harder for attackers to get access. By detecting anomalies, you can better protect your organization against vishing attacks.
- Conduct Regular Cloud Configuration Reviews. Regularly review cloud service configurations to identify and address security vulnerabilities. Seek third-party experts who specialize in cloud security to provide a fresh perspective and ensure best practices are followed. For more information, check out our AWS security best practices checklist or contact our team for a cloud security assessment.
We hope you found this information on today’s social engineering scams to be helpful. For more information on training, proactive prevent technologies, and policy development and implementation, contact our expert team. We’re ready to help!
This blog is distributed with the permission of LMG Security.
LMG Security is a full-service cybersecurity firm, providing one stop shopping for a wide array of cybersecurity services. Whether you need virtual CISO or regulatory compliance consulting services, testing, solution integration, training or one of our many other services – our expert team has you covered. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.