TASB Risk Management Fund

Beyond Digital Defenses

April 14, 2020 Lucas Anderson

Social engineering and the psychology of cybercrime

It only takes a quick look at recent headlines to realize that cybercriminal activity is on the rise. According to an annual cybersecurity report from CPO Magazine (a leading publication on data privacy and protection), in the US alone, there is a ransomware attack every 14 seconds. On top of that, education has been the most targeted industry for ransomware attacks since 2016. In fact, at least 500 schools were successfully infected with ransomware last year.

Those are frightening figures, but they’re even more disturbing when you realize that only an estimated 10 percent of cybercriminal activity is likely being reported.

While those numbers might have you running to increase the size of your IT department or purchase the latest and greatest firewall or antivirus protection, it’s important to keep in mind that cybersecurity is not only a digital issue. The common thinking that technological problems must have technological solutions ignores one of the most crucial components of strong cybersecurity: people.

Con artists with computers

When trying to improve your overall network security, it can be helpful to see hackers for what they really are. Though they sometimes use relatively sophisticated pieces of malicious software (malware), they’re basically con artists with computers. Understanding hackers in this way allows us to better inform staff how to recognize traps that often lead to network compromise.

Think about it. Why would cybercriminals spend the time and money to try to gain access to your system when they can simply fool an unsuspecting person on your staff?

Hackers use the same tricks that more traditional con artists have used for centuries. Fear, greed, carelessness, and the perception of authority are the emotional tools that they use to “socially engineer” their victims into giving up sensitive information.

Let’s examine a few recent instances where these techniques were used by cybercriminals.

Phishing: What happened to a school district in Manatee County, Florida

In February 2017, Manatee ISD was hit by a “Business Email Compromise (BEC)/W2” phishing scam. Phishing uses email, telephone, or text messages designed to appear like they are from legitimate institutions to lure victims into giving up sensitive data. This particular BEC scam is an ongoing cybercriminal operation that targets school districts, tribal casinos, chain restaurants, temp agencies, and even healthcare service providers.

So, what happened? A cybercriminal sent a message that forged the superintendent’s email address (referred to as spoofing) to district HR and finance staff members. The phony superintendent then requested the W2s of the entire Manatee ISD staff.

Unfortunately, district personnel took the bait. The hacker received the tax information for all 7,500 employees. As a result, the employees filed (and won) a $300,000 class-action lawsuit. The district was required to purchase an $80,000 policy for several years of identity-theft monitoring for the impacted staff members. One of the employees responsible was reprimanded, and another was removed from her position.

How was it that this cybercriminal was successful? He did spoof the email address via technical means; however, the key to his success was emotional pressure. The employees in HR and finance saw an email from the “superintendent” and instead of thinking, “Why would he want all those W2s?” they thought, “If the superintendent needs something, we’ll get it done immediately.”

The hacker counted on the fear of doing a bad job, the perception that an authority figure made the request, and the inattention of employees to achieve his objectives.

Fraudulent invoicing: Scott County Schools, Kentucky

In April 2019, Scott County Schools were targeted by an “outstanding invoice/fraudulent instruction” attack. The hacker did some research to find out which third-party vendor the school was using for a construction project. At that point, it was simple to spoof an email, create false documentation, masquerade as the vendor, and demand a payment of $3.7 million.

The hacker created additional pressure by saying that the payment was two weeks overdue. In response, the finance staff panicked and, at the request of the “vendor,” set up a new account for immediate funds transfer. Luckily, in this case, the district contacted the FBI within hours of the attack, and they were able to recover the entire payment.

Again, there was a digital component here (email spoofing), but the scam succeeded by using fear, perceived authority, and carelessness.

Cybercrime in Texas public schools

Texas school districts have not been immune to attacks. In January 2020, a school district in Central Texas suffered a phishing attack. The hacker spoofed emails, fabricated a trusted identity, and completed three separate transactions resulting in a $2.3 million loss.

The local police department is working with the FBI and has recovered approximately $800,000 of the loss. Meanwhile, law enforcement has several strong leads and hopes to recover additional funds.

Once again, these criminals did not need to use sophisticated software to execute their attack. They used fear, trust, and the inattention of employees to get what they wanted.

How school districts can protect themselves from cybercrime

Cybercrime is not going to disappear anytime soon because we live in such a digitally connected world. Social engineering attacks are on the rise because they are easy to launch and have the potential for large payouts.

What can districts do to prevent these attacks? Here are some tips:

  • Train your staff to recognize forged and spoofed emails. This can be done using general cybersecurity awareness training.
  • Develop a staff culture of cybersecurity. A healthy amount of suspicion of every attachment, every link, and every request for a payment modification is key to developing a cybersecurity culture at your organization. Especially think twice when a contact seems to be applying emotional pressure.
  • Institute an additional verification policy for any requests to modify payment methods, routing numbers, or the like. Staff should always check with a district supervisor and verify with third-party vendors before making large payments or changing payment arrangements.
  • Configure a Data Loss Prevention (DLP) tool. DLPs work with your email security to scan for sensitive information. They can prevent such data from leaving your network by accident.

Cybercrime terms to know

Other cybercrime terms you might want to be familiar with in case you hear them include the following:

  • Ransomware: A form of extortion in which malware is designed to deny access to a computer system or data until a ransom is paid
  • Phishing: Sending emails pretending to be from reputable senders in order to:
    • Get individuals to reveal personal or sensitive information 
    • Direct visits to malicious websites
    • Open corrupt attachments
  • Spear phishing: More sophisticated form of phishing in which an attacker develops a profile of a specific target in order to gain the target’s trust and improve chances of a successful attack
  • Whale phishing: Form of phishing in which malicious actors target high-level users, such as CEOs, superintendents, or users with administrative rights
  • VishingPractice of making fraudulent phone calls or leaving voice messages pretending to be from reputable companies to gain access to sensitive information or give fraudulent instruction

Being familiar with these terms can help you recognize them if they happen to you.

Republished with permission from the April 2020 edition of Texas Lone Star magazine, published by the Texas Association of School Boards.

Tagged: cyber, "cyber security", cybersecurity