Social engineering is hardly a new concept, even in the world of cybersecurity. Phishing scams alone have been around for almost 30 years, with attackers constantly finding new ways to trick victims into clicking a link, downloading a file or providing sensitive information.
Business email compromise (BEC) attacks repeat this concept, with an attacker gaining access to a legitimate email account and impersonating its owner. The attackers’ rationale is that victims won’t question an email that comes from a trusted source—and they’re too often right.
But email isn’t the only effective tool cybercriminals use to engage in social engineering attacks. Today’s businesses rely on a range of digital applications, from cloud services and VPNs to communication tools and financial services. What’s more, these applications are interconnected, so an attacker who can compromise one can compromise others. Organizations cannot afford to focus exclusively on phishing and BEC attacks—not when business application compromise (BAC) is on the rise.
Single sign-on targeting
Businesses use digital applications because they are useful and convenient. In the age of remote work, employees need access to critical tools and resources from a wide variety of locations and devices. Apps can streamline workflows, increase access to critical information, and make it easier for employees to do their jobs. An individual department within an organization may use dozens of applications, while the average company uses more than 200. Unfortunately, security and IT departments are not always aware of—let alone approve of—these applications, making oversight a challenge.
Authentication is another issue. Creating (and remembering) unique username and password combinations can be a challenge for anyone who uses dozens of different apps to do their jobs. Using a password manager is one solution, but it can be difficult for IT to enforce. Instead, many companies are streamlining their authentication processes through single sign-on (SSO) solutions that allow employees to sign in to an approved account once to access all related applications and services. But because SSO services give users easy access to dozens (or even hundreds) of business applications, they are high-value targets for attackers. SSO vendors have their own security features and capabilities, of course, but human error remains a difficult problem to solve.
Social engineering, developed
Many applications – and certainly most SSO solutions – have multi-factor authentication (MFA). This makes it harder for attackers to compromise an account, but it’s certainly not impossible. MFA can be annoying for users, who may need to use it to sign into accounts multiple times a day — leading to impatience and sometimes carelessness.
Some MFA solutions require the user to enter a code or show their fingerprint. Others simply ask, “Is that you?” The latter, while easier for the user, allows attackers to operate. An attacker who has already obtained a set of user credentials can attempt to log in multiple times, even though they know the account is MFA-protected. By spamming the user’s phone with MFA authentication requests, attackers increase the victim’s alert fatigue. Many victims, after receiving a flood of requests, assume IT is trying to access the account or click “approve” simply to stop the flood of notifications. People are easily annoyed and attackers use this to their advantage.
In many ways, this makes BAC easier to implement than BEC. Opponents involved in BAC simply have to make their victims make the wrong decision. And by targeting identity and SSO providers, attackers can gain access to potentially dozens of different applications, including HR and payroll services. Commonly used applications such as Workday are often accessed through SSO, allowing attackers to engage in activities such as direct deposit and payroll fraud that can funnel funds directly into their own accounts.
This kind of activity can easily go unnoticed—that’s why it’s important to have network detection tools that can identify suspicious behavior, even from an authorized user account. In addition, businesses should prioritize the use of phishing-resistant Fast Identity Online (FIDO) security keys when using MFA. If FIDO-only factors for MFA are unrealistic, the next best thing is to disable email, SMS, voice, and time-based one-time passwords (TOTP) in favor of push notifications, then configure MFA or identity provider policies. to restrict access to managed devices as an additional layer of security.
Prioritizing BAC prevention
Recent research shows that BEC or BAC tactics are used in 51% of all incidents. Although less well-known than BEC, a successful BAC gives attackers access to a wide range of business and personal applications associated with the account. Social engineering remains a high-return tool for today’s attackers—one that has evolved alongside the security technologies designed to stop it.
Modern businesses need to educate their employees, teaching them how to recognize the signs of potential fraud and where to report it. As businesses deploy more applications each year, employees must work hand-in-hand with their security teams to help systems stay protected against increasingly insidious attackers.