- Security TWENTY
- Women in Security
Criminals, con-artists and tricksters have been fooling unsuspecting targets for centuries, and not only on April Fool’s Day, says David Higgins, EMEA Technical Director at CyberArk.
Whether it’s forging documents or fraudulent transactions, being on the receiving end is never welcome. Today, cyber-attacks are a prolific form of trickery that pose a serious threat to businesses.
In cybercrime, phishing has long been a preferred tactic for coaxing unsuspecting corporate employees into surrendering sensitive information, typically using social engineering techniques. But in the last year we’ve seen a level of sophistication and variation in phishing tactics that we’ve never seen before. Individuals and businesses globally are falling prey to new, innovative threats from unrelenting attackers every day.
So, this April Fool’s Day, what tactics should IT teams and employees be looking out for? And how can they best protect their organisations from looking foolish?
Are deepfakes an innocent prank or a serious threat?
We know the success of a phishing attack relies on credibility. Cyber criminals rely on people believing they are someone else to gain access to networks, whether it’s via a credible-looking email coming from a supposedly legitimate source, or a fake video message spoofing a trusted colleague. This is why deepfakes are raising concerns – anyone can choose to look like someone else, with apparent authenticity.
In fact, the FBI warned earlier this year that malicious threat actors will ‘almost certainly’ be using deepfakes as a tactic to advance their cyber operations over the next 12 to 18 months. Deepfake technology has the potential to change the phishing landscape completely because it allows threat actors to move beyond text, and take advantage of the deep level of trust that comes with video or verbal communication.
Deepfake videos have already been used successfully to spread disinformation, mostly political in nature, and it’s only a matter of time before this technique is used to achieve other goals. The highly-competitive nature of business means that there’s also a strong possibility that we’ll see a rise in disinformation campaigns intended to discredit rivals, such as that by telecoms group Viettel.
It’s time for IT teams to understand the threat this technology poses to their business and put measures in place to educate about deepfake attacks, as it’s likely they will be targeted using these tactics in the near future.
Vishing is yet another example of the ingenuity of cyber criminals and the constant evolution of their tactics, techniques and procedures. Defined as unsolicited phone calls or voice messages fraudulently made by someone purporting to be a trusted service or colleague, vishing is becoming increasingly common as attackers use voice over internet protocol (VoIP) technology to make these calls over the internet, rather than having to use an original phone line. The volume of such attacks has drastically increased during the pandemic too, with the UK’s National Cyber Security Centre (NCSC) warning of attacks of this kind in its recent advisory report on working from home safety.
We know vishing attacks are already proving successful too, with hackers famously using the tactic last year to target, and successfully control, the Twitter accounts of CEOs, business, celebrities and politicians, including Joe Biden, Jeff Bezos, Apple and Uber.
Don’t allow their voice to fool you
We already know false representations aren’t limited to just the video format. Yet, above and beyond vishing, many hackers are experimenting with voice adaptation software which allows them to mimic the voices of contacts known to victims when conducting audio-based phishing attacks, such as via phone calls or even via audio files.
This software is opening up the number of attack vectors available to malicious actors and IT teams need to be wary of these new avenues. Social engineering techniques are constantly being developed to lure unsuspecting employees into handing over money, information and credentials, which is hugely worrying considering tools such as voice adaptation technology are becoming accessible to anyone and everyone.
Watch out for spear-phishing and BEC attacks
In 2020, 35pc of businesses globally experienced spear phishing and 65pc faced BEC (business email compromise) attacks. These techniques may have been around for a long time, but they’re still the most powerful tool in a cyber criminal’s arsenal and people continue to fall for them.
BEC attacks are among the most damaging online crimes, and the NCSC found they were the main cause of cyber insurance claims in 2019, which isn’t surprising considering how often they successfully target organisations of all sizes. But, why are people still falling for them? The answer is that hackers rely heavily on technology innovation and stolen credentials to make their attacks far more sophisticated that we’re used to seeing. The introduction of greater variety – and novelty – to these attack routes increases their chances of success substantially.
Making fools out of cybercriminals
Organisations need to take charge of their cyber security strategies this April Fool’s Day to avoid being made a fool of by preying threat actors. This means adopting an ‘assume breach’ mentality. Ensuring the implementation of proactive controls to protect sensitive credentials – the ones that attackers increasingly seek to carry out highly-targeted attacks – is the start of a strong, multi-layered approach to cyber defence.
business must employ three methods to combat the rising number of phishing attacks in combination. First, they must recognise the use of AI-based detection tools to spot fakes – including deepfakes and vishing attacks. This must be bolstered by strict authentication processes to verify users’ identities.
Second, they should consider using privileged access management to maintain a safe harbour for their most sensitive information. This will increase the difficulty for cybercriminals hoping to penetrate the restricted areas of a network.
Third, they should emphasise the importance of good security hygiene to employees through mandatory training sessions. This can be made more effective by demonstrating real examples of phishing attacks.
April Fool’s Day tricks are usually funny, even if a little embarrassing. Suffering the consequences of a successful phishing attack is not. They can cause serious damage across all areas of a business, not only its reputation. Follow this advice, and you’ll have reduced the chance of a successful attack by a wide margin.