Social engineering via "phishing " attacks at the intersection of OEM vendor and brand owner/CPG are getting more sophisticated, according to Jerry Cupo, Director of Technology, All Fill Inc.; Ben Hearn, Director of IT Operations, ProMach; Praveen Rokkam, Chief Information Officer, Delkor Systems Inc.; and Andy Lomasky, IT Director, PMMI.
“Security is everyone’s job,” Ben Hearn, director of IT operations, ProMach says. “Our employees are first line of defense.” But, the panel agreed, all it takes is one employee out of many, on one day out of many, to make a mistake. And the threats are getting sharper.
According to Rokkam, phishing is the most common ‘nuisance’ level attack. Ransomware attacks are what really keeps IT pros up at night, so phishing--historically easy-to-spot attacks--haven't always been top-of-the-food-chain threats. But according to Hearn, these attacks have become a lot more sophisticated over the last few years.
“A phishing attack means they get control, but you won’t necessarily know it immediately. More sophisticated attackers wait and watch for their opportunity within an email conversation, for example,” he says. "Access to a conversation is all an attacker need, then they wait and watch.
Consider a long conversation with an OEM vendor where, after a successful SAT, you reach discussion of payment. That’s the point of the conversation where the attacker pounces.
After agreeing to payment terms with your OEM vendor, imagine receiving an email that visually appears to be from your contact. But this time, the message is something along the lines of, “Our bank account info has changed. Please send it to this account instead.” Seems like a typical enough request, people change bank accounts all the time, and you know this person. But did you notice that the email address of that sender was different from the person that you knew, maybe by only one letter or period?
Rokkam and Lomansky both described this precise scenario occurring in organizations for which they have worked. Luckily, both caught their respective attacks before any bills were diverted to "Hong Kong bank accounts." That’s what the panel calls a social engineering attack, and it can only be defeated by vigilance by the employees—no real security product exists that can totally eliminate an attack that plays on human behavior in a trusted conversation. According to the panel, training and educating employees to maintain vigilance is key.