Employees continue to be the weakest link in your cybersecurity defenses. Verizon reports that last year, more than 90% of data breaches began with one user click. Estimates place annual U.S. phish-scam losses, at more than half a billion dollars. So, not surprisingly, the phishy social-engineering ploy remains one of thieves’ favored ways of tricking people out of information.
Knowing what to look for, and then imparting that knowledge through regular training, is an effective way to reduce employee-driven risk. Here are the four fastest growing phishing schemes predicted for this year, and steps you can take to prepare.
1) Attacks SaaS on Credentials. In 2018, software-as-a-service applications such as email, online storage, and productivity suites surpassed financial institutions as the top phishing target. Crooks gain access by falsely telling users they have a suspicious account login or expired password, then providing a link to a spoofed (phony) page to steal their information. A single compromised SaaS account can expose a treasure trove of files, email and other highly sensitive information. Security pros advise that enabling multifactor authentication for all users is the absolute minimum precaution against SaaS credential compromise (TeamLogic IT can also recommend others).
2) Attacks through Messaging Apps. Slack, Skype, Teams, Facebook Messenger and similar collaboration apps don’t use email, and thus lack that channel’s built-in security features, such as link scanning and malware detection. The absence of these protections openly exposes messaging apps to email-phishing favorites like malicious links and user impersonation. People tend to be overly trusting when using these popular and widely used tools, which is exactly why they should be covered in your firm’s security awareness programs.
3) Interactive Business Email Compromise (BEC) Attacks. These social engineering attacks are on the rise and will remain a top threat through 2019 and beyond. They don’t begin with a phony link, attachment or malicious content. Just a convincing, personal appeal from a hacker posing as a colleague or superior. The victim is highly targeted, usually based on position, authority or access, and initial contact is often an innocuous hook (“Hey, are you at your desk?”). Only after a few messages will the attacker request something from the victim. Perhaps the most familiar example of BEC fraud is the cybercrook posing as an executive, and urgently ordering an underling to wire funds to some overseas account. Sadly, the hoax does work.
In recent years, U.S. businesses have lost more than $12.5 billion to BEC scams, according to the FBI. One effective measure against this attack is instating a policy of ‘channel switching’ for requests of a certain type or dollar amount. For example, if a request is made over email, the response is sent via messaging app. If it comes by phone or voicemail (a tactic known as ‘vishing’), the follow-up continues by email or text. A simple inquiry (“did you just ask me to XYZ?”) can effectively thwart this treacherous ploy.
Small companies continue to be threat actors’ favorite target. Being prepared for social engineering can help your business avoid downtime, financial loss and brand/reputational damage. For expert guidance with security awareness training or any cybersecurity concern, give us a call today.