This isn’t your grandad’s phishing lure.

While the art of the con has not changed much, the tools and techniques being used by cybercriminals have. And trucking operations may be especially at risk of succumbing to what's called "social engineering."  

Gone (as in filtered out, for the most part) are the infected attachments, the dodgy links to online sweepstakes prizes, and claims of a pending inheritance from a foreign royal if you “just send $500 in gift cards” for processing first. 

These cybersecurity threats have been replaced by domain-specific and industry-appropriate business communications designed to get through modern email filters. 

There are rate quote requests, requests for non-disclosure agreements (NDAs) or other documentation exchanges, outstanding invoice notifications, and contract negotiations, all gradually steered toward malicious payload deployments by skilled social engineers. 

We are also seeing these attacks more frequently via phone call or text, further reducing email’s perceived monopoly on malicious communications.

The modern cybercriminal is increasingly relying on human weaknesses, not technical exploits, to accomplish their actions on objectives. 

Our defensive technology has grown exponentially more capable of detecting malicious code, dangerous links, or even overtly manipulative content in our communications. However, the attackers have also adapted. They are using sophisticated psychological manipulation and the power of our innate trust in one another to attack us.

Look, Ma! No Exploits Required!

Take, for example, the threat actor group known as Scattered Spider. This group has been successfully targeting large enterprises across multiple industries with attacks that have nothing to do with technical exploitation. 

These cybercriminals begin by impersonating internal IT support staff (“help desks”) and contacting employees over phone or text. Once they gain the trust of their target, they trick them into revealing credentials and installing remote assistance tools that enable remote access into the target’s corporate network.

They will then take this one step further and trick the target into providing them with multi-factor authentication codes as they compromise accounts with the stolen credentials — gaining complete access within the target environment, no technical vulnerabilities required.

It is also important to note here that the role the target has in the organization is not always one that makes them an “obvious” target. 

A way in is a way in for these cybercriminals, so anyone from a maintenance tech to a dispatcher to the CFO is fair game. They will simply use the original point of compromise as a springboard from which to pivot toward their ultimate target inside the organization’s network, whether that’s data theft, ransomware deployment, or installation of additional malicious tools.

Trucking is a Target-Rich Environment for this Cybercrime Tactic

In trucking, we are all operating at a fast pace, all the time. Plans often need to be adjusted at the last minute. “Fires” crop up all over the place that are addressed with a sense of urgency throughout any given work shift. 

All this creates a prime targeting environment for cybercriminals using social engineering. 

Couple that with the fact that the average trucking company leverages human-to-human trust and relationships that are core to our industry. Trucking is a relationship industry, and not too long ago it was standard practice to execute contracts with a handshake and an agreement. 

Unfortunately, these factors are rapidly becoming our Achilles heel in transportation. Trust is easily abused by malicious actors, and speed is often the enemy of caution.

Preventing social engineering attacks requires, above all else, an awareness of three things:

• Everyone is a potential target, in every organization (not just the big ones).

• Speed, a sense of urgency, and the illusion of trust are central to these attacks.

• Documented processes matter.

Prioritize Security-Conscious Internal Processes

Organizations can fight this threat by developing stronger defensive training and policies, as well as prioritizing the documentation of and adherence to security-conscious internal processes.

For example, regulating how technical support can interact with internal users. And training all internal users (based on role) on what these processes are, not just training IT. This gives everyone in an organization a shared understanding of what “normal” processes and requests should look like, making it easier to spot exceptions. This is an effective way to trip up social engineers in the early phases of an attack.

If all users know that IT will never ask them for a set of credentials, and IT knows never to ask an end user for a set of credentials, then what will happen when a caller claims to be “from IT” and asks for credentials? They will unmask themselves as a malicious actor and trigger a defensive response from the target.

The same applies to all other business processes. 

Consider financial teams. They must be trained in acceptable processes and procedures within the company, and all other teams must be aware of what is considered acceptable communication to and from the financial teams. 

Again, this elevates the likelihood of early recognition of a social engineering attempt: Asking for an account number change over email? Alarm bells! That is not our procedure, changes to accounts must use an internal form and be co-approved by a member of a list of approved individuals.

Don't Let Just Anyone Install New Software

Another strong defense is to enforce rigid controls around who can install new software on your company’s devices. 

All too often, legitimate remote assistance tools are being installed as a means of gaining access to target systems during a social engineering attack. These tools do not, by default, trigger alerts in Endpoint Detection and Response (EDR) or antivirus (AV) software, as they are not “malicious” applications when used properly.

Ensuring that only authorized remote assistance/remote access tools are available in your environment and that only authorized internal staff are granted the authority to install additional applications can significantly reduce the risk of malicious access through installation of remote access tools.

Small steps like this can dramatically increase an organization’s resistance to social engineering attacks. 

Increasing this resistance is an operational imperative in the current environment, as the majority of all successful digital crimes are facilitated by successful social engineering attacks. 

Technology is evolving. Cybercriminal tactics are evolving. Organizations’ abilities to detect manipulative communications must evolve to keep pace. 

Education is the cornerstone of this evolution. Role-based security education must encompass the entire organization, and not just IT. Strong internal processes and consistent awareness of these processes across the organization facilitate an internal “early warning” system that will make social engineering attempts stand out as exceptions to the normal process. 

Increased awareness is not just another component of an organization’s protection strategy; it is the core of cybercrime prevention.

Editor's Note: This is the first in a new monthly series devoted to practical tips to help trucking fleets of all sizes improve their cybersecurity. NMFTA, the National Motor Freight Traffic Association, has an extensive focus on cybersecurity in the logistics sector. It hosts an annual cybersecurity conference that is open to non-NMFTA members and offers other educational resources related to cybersecurity in trucking.