As I’ve stated a million times before, hackers will try the door handle before ever breaking a window. Nobody wants to work harder than they have to, and adversaries will move onto the next easiest target when they come across one “too tough to hack.” The takeaway? Don’t be the low-hanging fruit.

Nowhere is this more applicable than in low-risk, high-reward social engineering attacks.

A $100 million dollar phone call

Big breaches often come in seemingly innocuous ways, and social engineering ploys are the number one offender. Take the MGM Resorts hack, for instance. Reportedly costing MGM more than $100 million, the attack was critically informed by a ten-minute phone call with an unwitting employee. The attackers managed to steal driver’s license numbers and social security numbers of a large portion of the chain’s loyalty program members. The same group is also attributed with the attack on rival Caesars, who decided to pay at least $15 million in ransom. (MGM supposedly followed the FBI’s advice and has not paid a ransom.)

Talk about an expensive phone call.

Could this have been prevented? Well yes, at least for a while, and not by just refusing to pick up the phone.

The most egregious social engineering tactics

Prepare to be unsurprised. Most social engineering scams are hiding in plain sight, which makes them so effective. And with AI in the mix, they’re harder to spot than ever. However, as recent events show, sometimes it only takes a clever, low-tech tactic to do the trick.

Back in August, Okta issued an advisory to its customers warning about a specific kind of vishing attack – incidentally like the one used on MGM. Unable to thwart MFA logic itself, adversaries go for the next best thing: the settings. In this scenario, a threat actor will engage a help desk employee, trying to get them to reset the multi-factor authentication (MFA) settings for a highly privileged user. Once that’s done, the rest is easy.

Other similar tactics include AI-produced deepfakes that reproduce the face or voice of an employer, a business partner, or a financial institution. Once believed, these scams commonly request payment on an overdue invoice or initiate some other benign financial request. Sometimes the requests are urgent, causing employees to make rash judgments in haste, but the point is that they are non-technical ploys that can drain a company of millions of dollars, all without a single piece of malware.

Simple tactics like this can also be found on social media and professional platforms, springing up like mushrooms as inboxes fill with yet another Bitcoin scheme, “old friend” asking for money, or unsolicited login update requests. Be careful. The Verizon 2023 Data Breach Investigations Report notes that 74% of all breaches are due to human error, and cybercriminals take advantage of the places we let our guard down.

How to thwart social engineering scams

Much like the problem, the solution is fairly simple (in theory). We can train employees and beef up safeguards in case they make a mistake. And we can apply the same protections to ourselves.

Employee Security Awareness Training (SAT) is key for making users aware of what’s out there. At this point, probably over half haven’t even heard of the MGM incident and may not ever. It’s a security echo chamber for us, and we often forget that those within the broader realm of our organizations may be interested in other things.

Take municipal institutions, for example. Schools, water utilities, and local governments have enough on their plate. Security is a passing issue that’s done by IT, and we wish it were that way. Unfortunately, cybercriminals also know where the experts are, and they stay away. Consequently, they’re going around us and straight to the uninformed masses. That’s our problem – we need to inform them.

Secondly, as counterintuitive as it may seem after reading about MFA-targeting attacks, multi-factor authentication is still a reliable source of protection. IT help desk workers can be trained on staying alert for MFA dupes, and that might be a blog for another time. But in the meantime, every user needs to be using it wherever possible.

It’s also our responsibility to utilize authentication methods beyond passwords whenever possible. As IT and cybersecurity leaders, prioritize biometrics, tokenized authenticators, email confirmations, security cards, and even those pesky one-time passwords (OTPs). They work.

Same Old Story

Yes, there are sophisticated hacking methods out there, but most of the time it’s the same old story: Exploit the user. Good news is there are some modern basics like MFA and user training that are relatively painless and inexpensive; at least compared to a $100 million phone call.