In September 2023, the MGM Resorts International casino
and hotel chain was the victim of a major cybersecurity attack. The attackers
gained access to the company's network and stole the personal information of
over 10 million customers.
The attack is
believed to have started with a social engineering attack. Social engineering
is a type of cyberattack that relies on human manipulation to gain access to
sensitive information or systems. Attackers may use a variety of techniques,
such as phishing emails, phone calls, or in-person interactions, to trick
victims into revealing confidential information or performing actions that
compromise security.
In the case of the MGM attack, the
attackers are believed to have used a phishing email to gain access to the
company's network. The email may have appeared to be from a legitimate source,
such as a company executive or vendor. It may have contained a request for
sensitive information, such as login credentials.
Once the attackers had access to the MGM
network, they were able to steal the personal information of millions of
customers. This information included names, addresses, phone numbers, and dates
of birth. The attackers may also have stolen credit card numbers and Social
Security numbers.
The MGM cybersecurity event is a reminder
of the importance of cybersecurity for businesses of all sizes. It also
highlights the need for employees to be aware of social engineering attacks and
how to protect themselves from them.
What is social engineering?
Social engineering is a type of
cyberattack that relies on human manipulation to gain access to sensitive
information or systems. Attackers may use a variety of techniques, such as
phishing emails, phone calls, or in-person interactions, to trick victims into
revealing confidential information or performing actions that compromise
security.
Why is social engineering so effective?
Social engineering attacks are effective
because they exploit human vulnerabilities. For example, attackers may try to
prey on our tendency to trust others or our desire to be helpful. Additionally,
social engineering attacks can be difficult to detect because they often do not
involve any technical expertise.
Social Engineering: Business Email Compromised
In 2022, the IC3
received 21,832 BEC complaints with adjusted losses over $2.7 billion. BEC is a
sophisticated scam targeting both businesses and individuals performing
transfers of funds. The scam is frequently carried out when a subject
compromises legitimate business email accounts through social engineering or
computer intrusion techniques to conduct unauthorized transfers of funds.
The scheme has evolved
from simple hacking or spoofing of business and personal email accounts and a
request to send wire payments to fraudulent bank accounts. These schemes
historically involved compromised vendor emails, requests for W-2 information,
targeting of the real estate sector, and fraudulent requests for large amounts
of gift cards.
There was also an
increasingly prevalent tactic by BEC bad actors of spoofing legitimate business
phone numbers to confirm fraudulent banking details with victims. With this
increased tactic of "spoofed" phone numbers it emphasizes the importance of
leveraging two-factor or multi-factor authentication as an additional security
layer. Procedures should be put in place to verify payments and purchase
requests outside of e-mail communication and can include direct phone calls but
to a known verified number and not relying on information or phone numbers
included in the e-mail communication.
How can you protect your business from social engineering attacks?
There are a number of
things that businesses can do to protect themselves from social engineering
attacks, including:
- Educate employees about social engineering attacks. Employees
should be aware of the common techniques that attackers use and how to
identify and report suspicious activity.
- Implement strong security policies and procedures. Security
policies should cover topics such as password management, email security,
and physical security.
- Use security technologies to protect your network and
systems. Security technologies such as firewalls, intrusion detection
systems, and web content filtering can help to block malicious traffic and
protect your data.
Here are some additional tips for protecting your business from social engineering attacks:
- Be suspicious of unsolicited emails and phone calls. If
you receive an email or phone call from someone you don't know, be
suspicious, especially if they ask for sensitive information.
- Verify the identity of the sender before responding. If
you are unsure about the legitimacy of an email or phone call, contact the
sender directly using a known contact method.
- Do not open suspicious attachments or click on links in unsolicited emails. Malicious attachments and links can contain malware that can infect your computer or network.
- Keep your software up to date and use strong passwords. Software updates often include security patches that can help to protect your systems from known vulnerabilities. Use strong passwords and two-factor authentication (2FA) to protect your online accounts.
IC3 BY THE NUMBERS
Cybersecurity Tech Tip
A Reminder About Vishing
Vishing, or voice phishing, is a type of phishing attack that uses the telephone to trick people into revealing sensitive information. This week, two Las Vegas casino organizations, MGM and Caesars, were both victims of vishing attacks.
In the MGM case, the attackers were able to gain access to the company's systems by calling the IT help desk and impersonating an employee. They were able to convince the help desk representative to give them their login credentials, which they then used to access the company's network.
Vector Choice offers employee training to help fortify your company's cybersecurity defense. Interested in learning more please click here to register for our 10 Minute Discovery Call to find out how we can help your business.
