Just to kick things off. Here’s an article describing scammers using phishing techniques netted 11 million Canadian (9 Million US).
The article says this is not technically hacking. I don’t agree, but what do you think?
For those with an audit background, it also points out that anti-fraud controls were either not in place, or not effective.
The university fell for a phishing scam that was impersonating a vendor they were using. This is definitely an issue where the university did not do its due diligence to verify who they were making the payment to, especially for such a large sum!
Based on your definition of “hacking” (exploring the difference between how something is supposed to work and how it really works), I do believe that what this person did was a form of hacking. This person used a bit of social engineering while in this phishing scam, by impersonating a vendor that has had a previous relationship with the university, to get access to monetary compensation. How it’s supposed to work is that the user (victim) would have to get proof that the person is who they say they are, and how it actually worked was that the victim trusted based on the vendor and subject of the email without a proper vetting process. This is why I believe this is a hack versus just an ordinary phishing scam.
I agree that based on the definition, this is considered a form of hacking.
I also think it brings up an interesting discussion that hacking can take various forms, and it is important to be aware of it (phishing, social engineering, etc.)
Although I initially did not consider this “hacking” when I read the article, I agree with Krish that this does fall under hacking according to this course’s definition. This shows the importance of broadening our views of what hacking is. Attackers will try to achieve their goal by any means necessary, and many times it is not through common methods that most people think of when they think about hacking (example: brute force attacks). To try to keep attackers out, it is important to think like an attacker and consider what they might do.
The university should have done a better job of confirming who the money was going to and where knowing if it was a large amount of money. I think there should have been security checks in between people to make sure that the money was going to the right place and people. This was a different way to get someone to give them money and it does not necessarily have to be from the backend.
“Hacking” is a term with a very wide meaning. In the original meaning, hacking involves using a tool in ways that were not meant to be used. In more recent interpretations, a malicious meaning is attached to the term. Nonetheless, in this instance, phishing has a malicious aspect to it as well as abuse email.
After reading this article, I was thinking something similar to what Tal has said; hacking is a term with a much larger scope today than it once had. With this in mind, it is interesting to think about whether or not one would classify this as hacking. Social engineering is a subset of phishing, and doesn’t necessarily have to include any technical breach, but is and also is not considered hacking depending who one asks. One can social engineer their way into a restricted area in a building as well, is this hacking? If we think about the more broad and general concepts, then I would argue that this is hacking in the same vein that cybersecurity is not exclusively an IT function like so many people commonly misperceive.
I think that this can be considered a form of hacking (the combination of phishing and social engineering techniques used to scam the university of $11 million dollars).
While I do disagree with the article saying that it is not a form of hacking, I think it brings up a discussion point that hacking may take various forms, and that this is something to be aware of.