Cyber-criminals are using social engineering attacks to take over accounts belonging to players of the Electronic Arts video game FIFA 22.
In a statement released Tuesday, Electronic Arts said that multiple player accounts had been compromised, and that it was working with the rightful owners of the accounts to restore access.
While the gaming giant’s investigation into the attacks remains ongoing, Electronics Arts estimates that fewer than 50 accounts have been taken over through a combination of phishing techniques and mistakes made by its customer experience team.
“Utilizing threats and other ‘social engineering’ methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts,” said the Electronic Arts Sports FIFA team.
The team added: “Our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.”
Since discovering the cyber-criminal activity, Electronic Arts has put all its advisors and individuals who assist with the service of EA accounts through individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used by the attackers.
The company said it is also implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.
In addition, Electronic Arts said it will be updating the software used by its customer experience so it can better identify suspicious activity, flag at-risk accounts, and slash the risk of human error in the account update process.
“Having strong, unique passwords and enabling MFA are essential to reducing the risk of an account being compromised. However, even with these technical controls, it is still possible that an account can be compromised through social engineering,” commented Javvad Malik, security awareness advocate at KnowBe4.
“It’s why educating users of these threats is vitally important. Whether that be through an organization rolling out a security awareness and training program or be it through useful on-screen hints and tips on consumers’ login pages reminding them to not share personal details or login codes with others, and to be wary of emails claiming to be from the organization.”