I’m a big fan of the TV show “Mr. Robot.” In a nutshell, it’s about a network of hackers who attempt to take down a hugely corrupt corporation. The show touches on a lot of elements integral to the cyber world, such as hacktivism, virtual currencies and the dark web. It’s been hailed by critics and showered with awards.
However, there was one episode in the first season that always bugged me a bit. As Elliot, the main character on "Mr. Robot" would say, I felt it scratching around in the back of my brain and I couldn’t let it go. A hacker attempts to break into a police precinct’s computer system but simply walking through the parking lot and dropping malicious flash drives all over the place. Eventually, one dim-witted police officer picks one up and puts it into his computer, compromising the network.
As entertaining as this sequence was to watch, something about it always bothered me. Would anyone, let alone a police officer, be so stupid as to pick up a flash drive they randomly found outside the building and stick it into their work computer? It all seemed very flimsy to me and a little bit too convenient.
You can imagine my surprise then, when I was sitting in a conference session last week listening to Frank Abagnale of “Catch Me if You Can” fame describe how he’s performed this trick repeatedly, and it’s worked every time. Perhaps “Mr. Robot” got the idea from him. But Abagnale, who now works as a security consultant, doesn’t do this to police precincts. He does it to Fortune 100 companies.
Every November, the federal government sends Abagnale out to numerous companies to gauge their security. Every time he visits a site, he parks in the visitor parking lot and drops around 40 to 50 flash drives marked ‘Confidential’ all over the place. At lunchtime, he checks his laptop to see how many people picked drives up put them in their computers. Believe it or not, people just can’t resist the urge to look at this ‘confidential’ information. You can imagine their shock when a message comes up on their screen that says, “This is a test, and you failed.”
Abagnale has yet to visit a Fortune 100 company where someone didn’t do this. “I can tell if they put it in their device and didn’t open it, or they put it in their device and looked at it,” he said. “I remind them later that it could have cost their company $1 billion. Simply because they had to look at it.”
This brings us to Abagnale’s key point, and that is that every data breach—every single one—is the result of human error. It might have been a minor oversight that appeared completely innocuous at the time. But ultimately, someone internally did something they weren’t supposed to do. “There never will be any technology that can prevent social engineering,” he said.
Addressing the issue
So what can companies do to fix the problem? Like other security experts, Abagnale stressed the importance of education. He recounted the story of a company bookkeeper who appeared to receive an email from his CEO, asking for all of the company’s W-2 forms to be sent over. The employee sent the file, and then several days later, sent a follow-up email to the CEO, making sure he didn’t need anything else. The CEO responded that he never asked for those W-2s.
Scams like this one—known as business email compromise (BEC) scams—can be easily avoided if you simply place a call to the party requesting the information and make sure that they are the ones who are really emailing you. But if you’ve never heard of this type of scheme before, and if your company has provided no training on it, there’s a good chance you’ll fall for it.
Companies need to educate their employees on these and other scams, and a great place to start is AFP’s guides on the subject. In the past two years, we’ve released a Payments Security Guide and a Treasury in Practice Guide on BEC scams. If you’re not sure what to tell your staff members to look for, these guides can show you all the telltale signs.
Like Abagnale said, technology won’t save your company’s money from social engineering schemes. Only you can do that—by making sure your people don’t take the bait.