What is social engineering
As more businesses transition to remote work and operating from a cloud, threat actors have discovered the biggest weak point in their cybersecurity—the employees.
Social engineering is a tactic used by criminals designed to abuse human emotions such as empathy or fear to convince an unsuspecting victim to do any desired action. For cybercriminals, this could mean getting their target to click on a link, open a file, or input their password in a fake web form.
Consent phishing
Consent phishing is an increasingly popular social engineering tactic, especially as we approach the age of the metaverse where identities are further out of reach.
Instead of asking for something outright suspicious like login information, consent phishing schemes appear as a legitimate application (ex. Microsoft ) asking for permission to make changes to your system. What the victim doesn’t know is that, if they grant permission, they open the door for an unknown attacker instead of the publisher they trusted.
This technique is especially powerful because, although we emphasize having MFA (multifactor authentication) and strong passwords in place, consent phishing only targets users who are already logged in. Consent phishing is also notoriously difficult to track by endpoint security because, by technicality, the user “consented” to the threat actor accessing their data.
Deepfakes
Deepfakes are audio or video clips altered to impersonate another person and convince the viewer that what they’re seeing is real. Deepfakes are a technological marvel made possible by artificial intelligence (AI), created with the original intent of being used for movies and internet memes. However, criminals have begun to catch on to the dangerous door deepfakes can open.
According to Forbes, in October 2021 cyber criminals were able to swindle $35 million out of a Hong Kong bank by perfectly impersonating the business director over the phone with deepfake technology. Even more recently, as of last week, deepfake videos of Elon Musk were published by a fake crypto platform called BitVex, intending to convince other traders to invest their money in BitVex to make “30% dividends every day for the rest of their life.”
Whether you’re on the clock or at home, deepfakes are becoming more and more prevalent in deceiving the general public. It’s best to do thorough research from multiple resources on anything you’re instructed to do with your money before acting.
State-sponsored phishing
State-sponsored phishing, or state-sponsored attacks (SSA) are phishing schemes performed by hired cyber criminals on behalf of a nation-state. Their goals are political, ranging from exploiting government infrastructure vulnerability to stealing information and intel and taking money from citizens.
Because of the nature of SSAs, you’d think regular businesses would be left untouched while criminals target government organizations. However, because of how unsafe it is to directly attack a government agency, criminals tend to use other unsuspecting victims as catalysts until they finally get into their main target.
In short, this means you and your company are still at risk.
On June 10, 2021, Russian state-sponsored hackers successfully halted and ransomed $11 million from Australian meat packing company JBC. Fast forward to this year, on May 5, 2022, American agricultural machinery manufacturer AGCO was knocked offline by Russian state-sponsored ransomware attacks, with exposed company data still being investigated. Despite these companies being in the agriculture industry, they were targeted because of the service they provide to their respective citizens. The same risk is currently imposed on those in healthcare, education, and other public services.
Being cyber aware protects your business’s reputation, profit, and safety
As our online conduct and technology rapidly evolves, cyber attackers find new ways to think outside the box. Social engineering attacks are becoming harder to avoid every day because of the convincing tactics and technology threat actors use to trick you—a mistake that can’t ever be fully erased.
In a 2021 study by Proofpoint, 80% of global organizations have seen lower phishing attacks after enacting a cybersecurity training program. However, just phishing awareness is not enough to protect you from social engineering. Other layers of cybersecurity, such as password best practices, malware awareness, and remote work best practices should be covered within your business to have a fully effective training program.
You can stay a step ahead if you have the preparation and red flags memorized to spot a scam.
Want to learn more about common cybersecurity schemes and how to avoid being targeted? Check out our blog.