Robinhood has struck headlines repeatedly over the past 18 months. The US-based stock trading platform surged in popularity amid the long-running GameStop story, with new users flocking to the app in hopes of striking it lucky trading stocks.
However, over the past week Robinhood hit headlines for all the wrong reasons. On Sunday 7th November, the firm released details of a data breach that leaked information belonging to millions of users.
Details released by the company reveal a threat actor gained access using social engineering techniques, whereby an individual is psychologically manipulated into divulging sensitive information or performing certain actions.
According to the trading platform, the threat actor contacted a Robinhood customer support worker, employed these techniques and were able to gain access to some support systems. The unauthorised party also demanded a payment, the company confirmed.
Information on up to seven million app users is believed to have been exposed in the breach, including five million email addresses, two million names and a small number of user postcodes.
In a statement, Robinhood said it does not believe any account numbers, credit card information or social security details were exposed in the breach, and so far customers are yet to report any financial losses as a result of the incident.
“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the firm said.
But although this appears to be somewhat of a reprieve for users, Check Point Cloud Security Engineer Stuart Green says further down the line this will result in many being targeted by cybercriminals using their personal details.
“The information leaked here is sensitive and bad news for the Robinhood community,” he says.
“Malicious hackers can use the information leaked to carry out more attacks against the victims, like targeted phishing emails, as names and dates of birth can often be used to verify a person’s identity.”
Green urged Robinhood users to immediately change their passwords, enable two-factor authentication and remain vigilant for any suspicious emails that land in their inboxes.
Social engineering, a looming threat
Crucially, the Robinhood data breach highlights how effective social engineering techniques can be. It’s why threat actors are coming to view such methods as key weapons in their arsenal.
Statistics from Verizon’s 2020 DBIR study, for example, revealed that 22% of data breaches caused by malicious outsiders were due to social engineering.
According to Lisa Forte, a cybersecurity specialist and partner at Red Goat Cyber Security, the Robinhood data breach shows that social engineering is a serious concern for organisations and consumers alike. And since the onset of the pandemic, the issue has escalated as millions pivoted to remote working.
At home – and potentially isolated – workers across a range of industries became prime targets for predatory fraudsters.
“The pandemic saw an explosion in social engineering attacks,” she says. “This is due to the uncertainty we all felt. We also all shifted our lives online, thereby increasing our attack surfaces or potential”
“We saw a huge rise in “fake delivery” messages for online shopping, romance fraud, vaccine and NHS phishing and social engineering playing on the rise of controversial fringe groups, such as QAnon.”
While these techniques appear rather simplistic, they often prove highly effective and prey upon human emotions. Threat actors establish a sense of trust and draw victims in before causing havoc at an organisation or inflicting significant distress upon an individual.
“Social Engineering is the use of deception to get someone to do something they think is benign but is actually malicious to compromise a company and its data,” she explains.
- Insider Threats: An Interview with Lisa Forte, Red Goat Cyber Security
- Founders explain inspiration behind ‘Respect in Security’ initiative
- Robinhood data breach leaks information belonging to seven million users
There are a variety of social engineering techniques leveraged by hackers and cybercriminals, Forte notes – and phishing is the obvious example that many will think of.
However, fraudulent SMS messaging campaigns – known as ‘smishing attacks’ – are becoming more common. In fact, smishing attacks increased by nearly 700% during the first half of 2021, according to research from consumer rights group, Which?
‘Vishing’, a type of fraud that relies on manipulating people over the phone, is also rising in popularity and appears to have been the method employed in the Robinhood data breach.
These growing threats have created a perilous cybersecurity landscape for organisations across a range of industries and continue to loom heavy over consumers. Yet despite the obvious danger, Forte says many businesses are failing to fully address the scale of the problem.
“I think we underestimate the risk it poses. It’s acknowledged for sure, but are we giving it the respect that it needs? Probably not. This is evidenced by the readily available stats showing how phishing is still so effective.
“This is now coupled with nefarious people adding us and befriending us on social media platforms in order to get us to pass over sensitive information or even compromise security,” she adds.
Countering the threat
In the long-term, employee education on how to spot and prevent social engineering attacks will help organisations counter these growing threats, Forte notes, but it’s not a silver bullet.
These techniques are highly deceitful and rely on inherent human vulnerabilities to crack organisational defences. As such, education and awareness should always run parallel to robust processes.
“Training is essential but needs to be backed up with good technical defences and procedures.
“Then on top of this, ‘higher risk roles’ such as finance teams, HR and execs need some more detailed training as they hold roles that are more likely to be targeted with sophisticated social engineering owing to the access they have.”
Get the latest news from DIGIT direct to your inbox
Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.
We will keep you up to date on the pivotal issues impacting the sector and let you know about key upcoming events to ensure that you don’t miss out on what’s going on across the Scottish tech community.
Click here to subscribe.