George Stephens LLC

View Original

Do you know what spear-phishing looks like? Being aware of cyber-crime's latest tactics

Gavin George

Copyright 2024 Gavin George

What's the key to resilience in the rapidly evolving landscape of cyber-social engineering?

If you got an email from a Nigerian prince, would you open it?

And, if you did, would you do what the e-mail asked of you?

              The “Nigerian prince scam” is potentially the most classic example of an Internet-based social engineering technique (con). The answer is so obviously “NO!” that it almost seems comedic to lead with those questions.

But why is it so obvious?

              Social engineering works because humans can and do make mistakes; and that means they can be manipulated into doing things that they wouldn’t have done, had they known they were being tricked. That particular scam claimed billions of dollars from thousands of victims; so the reason why you answered “no” can’t be due to its poor or unsophisticated design.

It’s because you are aware that it is a scam.

Do you really know better?

              If a Nigerian prince emails you asking for banking information (and it doesn’t automatically get filtered out as spam), you know not to send it. It’s 2024, we know better. Right?

              On the other hand, if your payroll department emailed you about an issue with your direct deposit or taxes, would you help them? You know them, it’s not like it came from a stranger. Right?

              Or if someone on that email thread you and your co-workers have been using asks with help finding some information, would you help them? It’s an ongoing relevant conversation, it’s not like it’s a cold email. Right?

              Likewise, if a representative of one of your accounts payable ran into an issue and asked you about your payment method over the phone in a cheerful tone and even calling you by name, would you help them? You know you have an account with them, and they sound so nice. Of course they can be trusted. Can they?

              The public’s awareness of the Nigerian prince scam has made it conventional wisdom that you avoid revealing sensitive information in replies to cold emails from suspicious accounts.

              But going along with conventional wisdom in the case of the payroll department, that email thread and that account payable could have led to theft of your bank account, credit card and social security number, alongside whatever information you were willing to share with your “co-worker.”

              As it turns out, cybercriminals also have calendars, and they are very aware that it is 2024. Cold emails, emails from suspicious sources, and unprofessional-sounding phone calls don’t work like they used to. Now they use spear phishing, thread hijacking, and AI-assisted vishing.

              Harvard Business Review reported last year that over 80% of cyber-attacks were caused by human error. In many cases, this is the result of new techniques like these.

              Spear phishing involves the use of an email address that looks like it’s from a source that is trusted (such as payroll), this technique is very effective. The best way to counter it is to make personnel aware that the payroll department will not request that information using that medium.

              Thread hijacking can be very complex, often involving hijacking an email account, and using pre-existing communications to spread malware, and to spear phish. This can be countered by making personnel aware that they need to look out for signs that another person is using their account, and about company policy relating to sharing sensitive information over email.

              Vishing, a portmanteau of ‘voice’ and ‘phishing’ is simply phishing over the phone. It used to be somewhat easy to distinguish whether a call was legitimate or not based on what they were calling about and what they sounded like. Now, AI can be used to modify outgoing phone calls to make them much more convincing. Once again, awareness of what channels of communication are appropriate for conversations that involve exchange of sensitive information is key.

The takeaway: Cybersecurity problems have solutions, and we can help you find them

              The chance that someone in your business network will fall victim to a social engineering technique can be reduced to meet your risk tolerance when everyone knows what to look out for. Awareness is crucial in maintaining a healthy cybersecurity posture.

              That said, human error is inevitable. What is most important of all is understanding how you can mitigate the consequences of honest mistakes.

              If you want to learn more about how awareness training and security best practices can improve the cyber resilience of your business or workplace, let us know how we can help.

              If you would like a complementary cybersecurity solutions assessment for your business or workplace, reach out now and schedule yours today!