Cyberwire Talks with Avi Solomon about Social Engineering and the Importance of Training
06.17.19In a podcast interview with Cyberwire, Avi Solomon talks about a social engineering case study that kept a $1 million settlement from falling into the wrong hands. In the interview, Solomon notes how an odd request in the middle of a long email exchange raised a red flag for the attorney. The attorney was having an email conversation with opposing counsel and working their way toward the settlement agreement and the conversation went back and forth for days, even weeks.
"The attorney on the other side kept trying to find a way for our attorney to engage in a financial transaction. We knew it was winding down. We were getting ready, and so could they do an electronic funds transfer? Could they do a money wiring? And it just so happens that the particulars of this case didn't really allow for that. And so ultimately, what was needed was a check to be cut. And when the address was put in for the check to be cut, it immediately set off an alarm to our attorney who looked at it. And knowing a little bit about the firm she was dealing with, the address didn't quite make sense," he explained.
He went on to explain that there really is no technological defense for this type of hack. When things were suspicious, the attorney did what she's been trained to do, pick up the phone and call the attorney on the other side rather than respond in an email.
"When she asked him, why are you having us send the settlement in this direction? What's the purpose of that? To which he responded, I have no idea what you're talking about. And that's what sort of unraveled this entire story," said Solomon.
Solomon noted that the constant, repetitive, reiterative training helped the attorney look with a much more careful eye at something that would stand out.
"You should question even known good entities and known good parties. Just because you've had a conversation with somebody doesn't mean that every message is absolutely clean. And so therefore, when you're dealing with a very important activity such as the transference of money, secretive business or personal information, or organizational management decisions that are not for public consumption, it's important to make sure that you verify the information."
He recommends using another method of communication whenever there's something questionable. "It's what I call the multi-factor authentication of a conversation. And this was a key that this attorney did. She didn't just simply email back to the attorney. She actually picked up the phone and spoke to the person, and that was, as I often talk about, multi-factor authentication in the environment in general, this was a form of multi-factor authentication in a transference of funds."
To read the full transcript or listen to the podcast, visit the #HackingHumans story at Cyberwire.