With all the news lately about hackers and security breaches, we thought it would be a good idea to initiate a new series highlighting common security vulnerabilities of businesses. Every couple of weeks we’ll explore a specific scenario and offer technology recommendations, as well as some insider tips on how executives can minimize these potential risks within their company.
Today we’ll focus an attack that has is picking up the pace recently; the man in the middle attack. Although this has been around for a long time, the attackers have evolved and are becoming a little harder to spot. Until it’s too late that is!
Basically the attack goes like this:
- A hacker will get a hold of an executives email username and password. This can be accomplished in a number of ways, but one way or another they get it.
- Over time the hacker monitors the email conversations of that executive, and learns how to speak like them.
- The hacker then waits for a triggering event, which is usually an executive going on a trip.
- At this time, the attack is initiated.
- The hacker cuts off email to the executive, and communicates directly to the main office pretending to be the executive.
- The hacker will typically ask for either some sensitive information, or come up with some excuse the executive needs money to be wired to them. Of course they’ll say it is Urgent!
- Someone from the internal office sends the information or money, and they got you!
Once the information has been provided, or the money has been wired, the hacker may either try to repeat the process until discovered, or will disappear immediately. Either way it is too late to do anything; your info and money are long gone.
How to combat this attack
The best way to minimize the risk of this attack is through internal policy and education. Whenever employees are out of the office or traveling you should enforce a policy that requires verification for any requests for sensitive information, or money. If the request is made by phone, it is verified in email. If the request is made by email, the verification is by phone. For an additional level of protection the verification process can also include predetermined passcode that both parties can use to confirm the authenticity of the request. If you add this extra layer, make sure the passcode changes immediately after it is used.
Additionally, all employees of the company should be familiar with this type of attack, and should involve executives or business owners before providing any information or money to the requestor. Follow the proper due diligence and you’ll be much less likely to fall for this type of attack!