Second Generation Cyber-Attacks|
Many of us are aware of phishing and have probably already been the target of an indiscriminate campaign. Phishing is designed to trick the recipient into divulging personal details that can be used to defraud at a later date.
By posing as reputable sources, such as banks or delivery firms, scammers attempt to glean the sensitive information they require. A phishing campaign will target numerous users and by sheer weight of numbers, the emails will reach a percentage of likely candidates, one of which may take the bait.
However, in recent years, users have become savvier to the risk of phishing. As such, the scammers have been evolving their techniques in response. Rather than spamming out relatively easily detected mass email campaigns, they’re spending time identifying targets, learning about them and setting up bespoke cyber attacks.
Spear phishing is a much more focused form of phishing. Cyber criminals focus on one individual or a small group of people and tailor their attack to suit the target. The email will incorporate some form of personalisation and include data that’s pertinent to the user. The fraudulent identity used by the scammer will be relevant to the target, thus increasing the chances of a successful dupe.
Attackers tap into social networks to mine information. Social media sites such as LinkedIn and Facebook provide a wealth of information. From contact details to information about business activities, scammers are able to tailor their emails with increasing sophistication.
The level of precision enables cyber criminals to trick recipients into breaking security procedures, divulging confidential information or providing access to funds. This type of activity is called social engineering.
CEO fraud is the latest in a new generation of cyber attack techniques. This particular vector involves cyber criminals using spoof company email accounts and impersonating senior company officials. CEO fraud is designed to fool employees. From sending out confidential information to executing unauthorised money transfers, scammers impersonate executives to coerce employees into performing a task under the auspices of a legitimate business activity.
CEO attacks rely on a number of techniques. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion.
A whaling attack also involves high profile executives. In this case, hackers use social engineering to trick users into divulging sensitive information or even into making money transfers. A carefully written email, sent at the right time, from one executive to another, may be just enough to coerce payment or the divulgence of sensitive company information.
There’s no malware or dubious web link attached, just a brief, text-only email, from one executive to another asking for assistance. Personalisation and detailed knowledge of the executive and the business are the hallmarks of this type of fraud. A whaling attack will often use a domain name that looks very much like a trusted one, yet with subtle and almost imperceptible changes.
With this in mind, it’s prudent that organisations consider their own stance in tackling the threat from increasingly sophisticated cyber attacks. Unlike some cyber threats where protection can be achieved almost exclusively through technology, being better prepared to counter CEO fraud and other sophisticated phishing attacks is much more about human intervention.
Certain groups of employees, for example, are generally targeted more often than others due to the nature of their roles and the access they have to funds or sensitive information.
Members of the executive team should be considered high-value targets, as they generally possess some kind of financial authority. If their email accounts are hacked, cyber criminals will have access to all manner of confidential information. IT personnel are also high-value targets with their authority over access controls. If cyber criminals can hack their credentials, they gain entry to every part of an organisation.
The finance department is especially vulnerable. All too often, sloppy internal policies only demand email authority to initiate a bank transfer. It’s therefore, essential to ensure internal processes are as robust as possible. Some form of secondary authentication, such as a phone call to the requester, can greatly enhance security. It’s vital not to rely solely on electronic communication where financial transactions are concerned.
With information on every person in an organisation, the HR department represents a real risk. From spyware in a CV to spoof emails purporting to be from HMRC, employees may unwittingly send sensitive information to criminal organisations.
Prevention Is Better Than Cure
As is often the case, prevention is better than cure. One of the most effective ways to defend against cyber attacks is to make sure employees and senior managers are aware of the threat and are vigilant in their daily work. This is especially important for staff who have authorisation or responsibility for transferring money.
Whatever the size or industry of an organisation, employees can be both the first and last line of defence when it comes to security. Employees are frequently exposed to sophisticated social engineering attacks. As such, it’s vital that they understand the mechanisms of cyber attacks and can apply this knowledge in their day-to-day roles.
More than ever, users are the weak link in any network’s security. Employees need to be trained to keep security at the forefront of their minds. KnowBe4 is a security company that delivers training to employees to ensure they make smarter security decisions. The company delivers integrated security awareness training and provides a comprehensive approach to effectively manage this problem. Protecting yourself requires almost no investment in technology, just a heightened awareness of what’s possible.Share this article