Ratna Yudhiyati (44047509)

An Analysis of Social Engineering Threat on Westfarmers

Executive Summary
Westfarmers, as one of the biggest corporation in Australia, needs to pay more attention
to social engineering risk. Social engineering is a type of security attack which involve
misleading people to voluntarily perform specific action or disclose information by utilising
social interaction and persuasion method. Symantec (2016) found that retail industry was one
of the popular targets of social engineering attack. People aspect is very important in retail
industry and this is the main reason why social engineering attack often target retail industry.
The damages of social engineering attack can be classified into two categories; primary
and secondary. The three primary damages are stolen information, compromised information
system, and direct financial loss. These three damages may be caused by any social engineering
attack, but the most the most popular social engineering attack in retail industry is
impersonating identity.
There are also two secondary damages, which are reputational and operational damage.
Compromised information system will distract Westfarmers’ operation and harm company’s
reputation. Stolen information will make Westfarmers lost its competitive advantage.
Secondary damage is often considered as costliest damage of a sosial engineering attack and it
is difficult to estimate the lost.
This report provided recommendations for preventive countermeasure against social
engineering attack. The recromendations are as follows; (1) basic training about social
engineering for new employees, (2) security awareness training for partner, (3) advanced social
engineering training, and (4) security oolicies about corporate email.

Introduction
Social engineering is a type of security attack which involve misleading people to
voluntarily perform specific action or disclose information by utilising social interaction and
persuasion method (Albrecht et al 2016). Information Security Media Group (ISMG) found that
social engineering was regarded as the most dangerous threat in 2016 by 60 percent of
respondents (ISMG 2016).
Westfarmers, as one of the biggest corporation in Australia, needs to pay more attention
to social engineering risk. Westfarmer has interest in many industries, but retail industry is
Westfarmers’ main business (Westfarmers 2016). Symantec (2016) found that retail industry
was one of the main targets of popular social engineering attack, especially spam email, phising,
and spear-phising. If Westfarmers neglect this risk, the possible implication will be dangerous
for Westfarmers.
This report had two main purposes. First, this report analyzed and evaluated the risk of
social engineering attack on Westfarmers. Third, this report also proposed recommendations to
Westfarmers’ Board of Directors to manage the risk of social engineering.

The Risk of Social Engineering on Westfarmers

The Explanation of Risk
Human aspect is the main cause of most cybersecurity breaches. Humans have tendency
to trust other people and disclose personal information easily. Social engineering is a type of
cybersecurity attack which utilise these human natures.
There are many techniques of social engineering. Some popular social engineering attacks
which may be concerns for companies are phising, pretexting, and tailgating. Phising attack
uses email to deceive receivers into performing specific action or accessing harmful program
which compromise the targeted information system. Pretexting method is utilised when attacker
design a fabricated scenario which looks like a credible story and use it to manipulate target
and obtain sensitive information. Tailgating attack is used to gain access to restricted area by
impersonating other identity which have access to the area (Conteh & Schmick 2016).
Retail industry had high risk of social engineering attack. Symantec (2016) found that
retail was the industry most heavily exposed to phising attack in 2015. Retail industry had the
highest phising email ratio of 1 in 690, which means that 1 out of 690 business email received
by company in a year was a phising email. Spam email is also a popular social engineering
attack used in retail industry. Symantec (2016) also found that 52.7 percent emails received by
retail companies in 2015 were spam email.
Westfarmers, as one of the biggest retail conglomerate in Australia, had high risk of
becoming social engineering target. This section explained the possibility of Wesfarmers being
targeted by social engineering attack. Next section explained about the exposure of social
engineering risk on Westfarmers.

The Implication of Social Engineering Attack on Westfamers

Social engineering attack creates two types of concurrent damages, which are named
primary and secondary damage (Janczewski & Fu 2010). Primary damage is a direct damage
caused by social engineering attack, such as the stolen information or damaged information
system. Secondary damage is subsequent damage caused by the primary damage.
Westfarmers is a conglomerate which focus on retail industry. The business operation of
retail industry relies heavily on communication among suppliers, customers, and partners
within the company. One division of Westfamers alone, such as Coles or Bunnings, have many
stores located across Australia and they need to communicate regularly with headquarter. Each
division has their own suppliers. They also need to communicate regularly with their customers.
People aspect is very important in retail industry and this is the main reason why social
engineering attack often target retail industry.
There are three possible primary damages suffered by Westfamers if it becomes a victim
of social engineering attack. The three damages are stolen information, compromised
information system, and direct financial loss.
One of the most common social engineering attack in retail industry is impersonating
identity. The attacker usually conducted research about the target and impersonated identity to
craft a well-designed email so it becomes very difficult for the victim to differentiate it.
Attackers usually request for sensitive information or even money. For example, a store
manager received an email from one of its main supplier. The email was not sent from the usual
email address, but the manager believed that the email was sent by the supplier because the
supplier clearly mentioned some of their past transactions. The email explained that the supplier
changed its bank account and request the manager to pay the new invoices to the new bank
account. However, the store managed found out a month later the email was fake and the
transferred amount was lost.
This method can be easily modified per attackers’ purpose. If attacker want to obtain
sensitive information, they may impersonate superiors when sending email to store manager. If
they wish to damage company’s system, they can impersonate supplier or customer when
sending the email and request the receiver to open the attached file.
Reputation damage and operational damage are classified as secondary damage for
Westfarmers. Compromised information system will distract Westfarmers’ operation and harm
company’s reputation. For example, an attacker managed to insert a harmful program to
Bunnings’ system by using phising email. The company was unable to use its ERP system to
contact supplier. The online stores could not be accessed by customers. The company was
unable to operate properly. Customers were unsatisfied and worried when they heard that
Bunnings online system suffered a hacker attack. They hesitated to shop online and Bunnings
lost much profit and its competitive advantage. Secondary damage is often considered as
costliest damage of a social engineering attack and it is difficult to estimate the lost.

Recommendations
There are three categories of countermeasures against social engineering; preventive,
detective, and corrective (Cullen and Armitage 2016). The report focus on preventive
countermeasure because stopping a cybersecurity attack before it happens is the cheapest and
most effective method (Albrecht et al 2016).
 Education
1. Basic training about social engineering for new employees.
The main purpose of the training is ensuring that employees have similar level of
understanding about social engineering threat and how to respond it, despite their
different backgrounds.
2. Security awareness training for partner
Partner’s employees who work in company’s premise, such as security or cleaner staff,
are often the main cause of security breaches. They usually have low security awareness.
Westfarmers needs to address this risk by giving basic training for these employees or
requiring partners to provide security awareness training for their staff.
3. Advanced social engineering training
The targets of this training are higher-level employees which may become target of
complicated social engineering attack. These employees need to improve their knowledge
about the evolved techniques of social engineering.
 Security Policies about Corporate Email
Westfarmers need to apply know-your-partner principle as part of its corporate email policy.
They can access attached file or hyperlink in an email only if they properly understand the
content of email they receive and who the sender is. Employees also need to validate the
sender’s background if they receive important request from unusual email.

Conclusion
 Westfarmers had high risk of social engineering attack because its main business is retail.
Three possible primary damages of social engineering attack on Westfarmers are stolen
information, compromised information system, and direct financial loss. There are also two
secondary damages, which are reputational and operational damage.
 This report focus on providing recommendations for preventive countermeasure against
social engineering attack.
1. Basic training about social engineering for new employees.
2. Security awareness training for partner
3. Advanced social engineering training
4. Security policies about corporate email

REFERENCE LIST
Albrecht, W, Albrecht, C, Albrecht, C, & Zimbelman, M 2011, Fraud Examination, Cengage
Learning.
Conteh, NY & Schmick, PJ 2016, ‘Cybersecurity: Risks, Vulnerabilities, and
Countermeasures to Prevent Social Engineering Attacks’, International Journal of
Advanced Computer Research, vol. 6, no. 23, pp. 31-38, viewed 11 May 2017,
http://dx.doi.org/10.19101/IJACR.2016.623006
Information Security Media Group 2016, Email Security: Social Engineering Report, ISMC,
Princeton, viewed 15 May 2017, https://www.agari.com/project/report-email-security-
social-engineering-survey/?pr
Janczewski, LJ & Fu, L 2010, ‘Social Engineering-Based Attacks: Model and New Zealand
Perspective’, in Proceedings of the 2010 International Multiconference on Computer
Science and Information Technology (pp. 847-853), viewed 15 May 2017,
https://doi.org/10.1109/IMCSIT.2010.5680026
Symantec 2016, Internet Security Threat Report, vol 21, Symantec, Mountain View, viewed
11 May 2017, https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-
2016-en.pdf
Westfarmers 2016, 2016 Annual Report, viewed 11 May 2017,
http://www.wesfarmers.com.au/docs/default-source/reports/2016-annual-
report.pdf?sfvrsn=8