Employees continue to be the
weakest link in your cybersecurity defenses. Verizon reports that last year,
more than 90% of data breaches began with one user click. Estimates place
phish-scam losses, at more than half a billion dollars. So, not surprisingly, the
phishy social-engineering ploy remains one of thieves’ favored ways of tricking
people out of information.
Knowing what to look for, and
then imparting that knowledge through regular training, is an effective way to
reduce employee-driven risk. Here are the four fastest growing phishing schemes
predicted for this year, and steps you can take to prepare.
1) Attacks SaaS on Credentials. In 2018, software-as-a-service applications such as
email, online storage, and productivity suites surpassed financial institutions
as the top phishing target.
Crooks gain access by falsely telling users they have a suspicious account
login or expired password, then providing a link to a spoofed (phony) page to
steal their information. A single compromised SaaS account can expose a
treasure trove of files, email and other highly sensitive information. Security
pros advise that enabling multifactor authentication for all users is the
absolute minimum precaution against SaaS credential compromise (TeamLogic IT can
also recommend others).
through Messaging Apps. Slack, Skype, Teams, Facebook Messenger and similar collaboration apps don’t use email,
and thus lack that channel’s built-in security features, such as link scanning
and malware detection. The absence of these protections openly exposes
messaging apps to email-phishing favorites like malicious links and user
impersonation. People tend to be overly trusting when using these popular and
widely used tools, which is exactly why they should be covered in your firm’s
security awareness programs.
3) Interactive Business Email Compromise (BEC)
Attacks. These social
engineering attacks are on the rise and will remain a top threat through 2019
and beyond. They don’t begin with a phony link, attachment or malicious
content. Just a convincing, personal appeal from a hacker posing as a colleague
or superior. The victim is highly
targeted, usually based on position, authority or access, and initial contact
is often an innocuous hook (“Hey, are you at your desk?”). Only after a few
messages will the attacker request something from the victim. Perhaps the most
familiar example of BEC fraud is the cybercrook posing as an executive, and
urgently ordering an underling to wire funds to some overseas account. Sadly,
the hoax does work.
years, U.S. businesses have lost more than $12.5 billion to BEC scams,
according to the FBI. One
effective measure against this attack is instating a policy of ‘channel
switching’ for requests of a certain
type or dollar amount. For example, if a request is made over email, the
response is sent via messaging
app. If it comes by phone or voicemail (a tactic known as ‘vishing’), the
by email or text. A simple inquiry (“did you just ask me to XYZ?”) can
effectively thwart this
Small companies continue to be
threat actors’ favorite target. Being prepared for social engineering can help
your business avoid downtime, financial loss and brand/reputational damage. For
expert guidance with security awareness training or any cybersecurity concern, give
us a call today.