In September 2023, the MGM Resorts International casino and hotel chain was the victim of a major cybersecurity attack. The attackers gained access to the company's network and stole the personal information of over 10 million customers.
The attack is believed to have started with a social engineering attack. Social engineering is a type of cyberattack that relies on human manipulation to gain access to sensitive information or systems. Attackers may use a variety of techniques, such as phishing emails, phone calls, or in-person interactions, to trick victims into revealing confidential information or performing actions that compromise security.
In the case of the MGM attack, the attackers are believed to have used a phishing email to gain access to the company's network. The email may have appeared to be from a legitimate source, such as a company executive or vendor. It may have contained a request for sensitive information, such as login credentials.
Once the attackers had access to the MGM network, they were able to steal the personal information of millions of customers. This information included names, addresses, phone numbers, and dates of birth. The attackers may also have stolen credit card numbers and Social Security numbers.
The MGM cybersecurity event is a reminder of the importance of cybersecurity for businesses of all sizes. It also highlights the need for employees to be aware of social engineering attacks and how to protect themselves from them.
What is social engineering?
Social engineering is a type of cyberattack that relies on human manipulation to gain access to sensitive information or systems. Attackers may use a variety of techniques, such as phishing emails, phone calls, or in-person interactions, to trick victims into revealing confidential information or performing actions that compromise security.
Why is social engineering so effective?
Social engineering attacks are effective because they exploit human vulnerabilities. For example, attackers may try to prey on our tendency to trust others or our desire to be helpful. Additionally, social engineering attacks can be difficult to detect because they often do not involve any technical expertise.
Social Engineering: Business Email Compromised
In 2022, the IC3 received 21,832 BEC complaints with adjusted losses over $2.7 billion. BEC is a sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts. These schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.
There was also an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims. With this increased tactic of "spoofed" phone numbers it emphasizes the importance of leveraging two-factor or multi-factor authentication as an additional security layer. Procedures should be put in place to verify payments and purchase requests outside of e-mail communication and can include direct phone calls but to a known verified number and not relying on information or phone numbers included in the e-mail communication.
How can you protect your business from social engineering attacks?
There are a number of things that businesses can do to protect themselves from social engineering attacks, including:
- Educate employees about social engineering attacks. Employees should be aware of the common techniques that attackers use and how to identify and report suspicious activity.
- Implement strong security policies and procedures. Security policies should cover topics such as password management, email security, and physical security.
- Use security technologies to protect your network and systems. Security technologies such as firewalls, intrusion detection systems, and web content filtering can help to block malicious traffic and protect your data.
Here are some additional tips for protecting your business from social engineering attacks:
- Be suspicious of unsolicited emails and phone calls. If you receive an email or phone call from someone you don't know, be suspicious, especially if they ask for sensitive information.
- Verify the identity of the sender before responding. If you are unsure about the legitimacy of an email or phone call, contact the sender directly using a known contact method.
- Do not open suspicious attachments or click on links in unsolicited emails. Malicious attachments and links can contain malware that can infect your computer or network.
- Keep your software up to date and use strong passwords. Software updates often include security patches that can help to protect your systems from known vulnerabilities. Use strong passwords and two-factor authentication (2FA) to protect your online accounts.
IC3 BY THE NUMBERS
Cybersecurity Tech Tip
A Reminder About Vishing
Vishing, or voice phishing, is a type of phishing attack that uses the telephone to trick people into revealing sensitive information. This week, two Las Vegas casino organizations, MGM and Caesars, were both victims of vishing attacks.
In the MGM case, the attackers were able to gain access to the company's systems by calling the IT help desk and impersonating an employee. They were able to convince the help desk representative to give them their login credentials, which they then used to access the company's network.
Vector Choice offers employee training to help fortify your company's cybersecurity defense. Interested in learning more please click here to register for our 10 Minute Discovery Call to find out how we can help your business.