All it can take is a phone call. That’s what Qantas learned this week when the personal information of up to 6 million customers was stolen by cybercriminals after attackers targeted an offshore IT call centre, enabling them to access a third-party system.
It is the latest in a series of cyber-attacks on large companies in Australia involving the personal information of millions of Australians, after the attack on Optus, Medibank and, most recently, Australia’s $4t superannuation sector.
The Qantas attack came just days after US authorities warned the airline sector had been targeted by a group known as Scattered Spider, using social engineering techniques, including impersonating employees or contractors to deceive IT help desks into granting access, and bypassing multi-factor authentication.
New technology brings old methods
While companies may spend millions keeping their systems secure and software up-to-date to plug known vulnerabilities, hackers can turn to this form of attack to target, often, the weakest link – humans.
Social engineering is not new. It predates the internet, involving tricking someone into providing compromising information.
The most common way people would see social engineering in practice is through phishing attacks – emails that are designed to look official to lure unsuspecting people into providing their login and passwords.