Employees continue to be the weakest link in your cybersecurity defenses. Verizon reports that last year, more than 90% of data breaches began with one user click. Estimates place annual U.S. phish-scam losses, at more than half a billion dollars. So, not surprisingly, the phishy social-engineering ploy remains one of thieves’ favored ways of tricking people out of information.
Knowing what to look for, and then imparting that knowledge through regular training, is an effective way to reduce employee-driven risk. Here are the four fastest growing phishing schemes predicted for this year, and steps you can take to prepare.
1) Attacks SaaS on Credentials. In 2018, software-as-a-service applications such as email, online storage, and productivity suites surpassed financial institutions as the top phishing target. Crooks gain access by falsely telling users they have a suspicious account login or expired password, then providing a link to a spoofed (phony) page to steal their information. A single compromised SaaS account can expose a treasure trove of files, email and other highly sensitive information. Security pros advise that enabling multifactor authentication for all users is the absolute minimum precaution against SaaS credential compromise (TeamLogic IT can also recommend others).
2) Attacks through Messaging Apps. Slack, Skype, Teams, Facebook Messenger and similar collaboration apps don’t use email, and thus lack that channel’s built-in security features, such as link scanning and malware detection. The absence of these protections openly exposes messaging apps to email-phishing favorites like malicious links and user impersonation. People tend to be overly trusting when using these popular and widely used tools, which is exactly why they should be covered in your firm’s security awareness programs.
3) Interactive Business Email Compromise (BEC) Attacks. These social engineering attacks are on the rise and will remain a top threat through 2019 and beyond. They don’t begin with a phony link, attachment or malicious content. Just a convincing, personal appeal from a hacker posing as a colleague or superior. The victim is highly targeted, usually based on position, authority or access, and initial contact is often an innocuous hook (“Hey, are you at your desk?”). Only after a few messages will the attacker request something from the victim. Perhaps the most familiar example of BEC fraud is the cybercrook posing as an executive, and urgently ordering an underling to wire funds to some overseas account. Sadly, the hoax does work.
In recent years, U.S. businesses have lost more than $12.5 billion to BEC scams, according to the FBI. One effective measure against this attack is instating a policy of ‘channel switching’ for requests of a certain type or dollar amount. For example, if a request is made over email, the response is sent via messaging app. If it comes by phone or voicemail (a tactic known as ‘vishing’), the follow-up continues by email or text. A simple inquiry (“did you just ask me to XYZ?”) can effectively thwart this treacherous ploy.
Small companies continue to be threat actors’ favorite target. Being prepared for social engineering can help your business avoid downtime, financial loss and brand/reputational damage. For expert guidance with security awareness training or any cybersecurity concern, give us a call today.
Mohammad (Mo) Nilforoushan is a trusted Technology Advisor in North Dallas who has completed his BSEE from Cleveland State University and a MS in Solid State Physics from Bowling Green State University. He has worked as a Product and Test Engineering Manager for 15 years with RCA/Harris, Dallas Semiconductor and Texas Instruments. He was also Director of Operations at Microtune Inc. between 2002 to 2015. Mo started his own company, “TeamLogicIT Plano” in 2015 with a mission to deliver excellent Managed IT Services in Dallas and Plano, TX with innovation and updated technology. The TeamLogicIT Plano team, which includes his wife Kathleen Stewart (marketing/sales) provides excellent IT Support, Computer Services, Cloud Computing, Backup, and Disaster Recovery, with second to none customer service. Call us at (469) 573-3743 or contact our email [email protected].
RECENT COMMENTS