Running Headfirst Into a Breach

The pandemic changed the fortunes of many organisations. Perhaps none so much as Zoom, which has found itself becoming a noun synonymous with any form of video call.

However, its meteoric rise has not been without some hiccups along the way. There have been many cases of people not securing their meetings, leading to many cases of ‘zoombombing’ in which unauthorised people join video calls with the intention of sharing lewd, obscene or otherwise distasteful content.

There was also the case of investors wanting to jump on the Zoom bandwagon who inadvertently purchased stock of Zoom Technologies, a small Chinese company which had nothing to do with Zoom, the video chat platform.

Errors and mistakes aside, criminals have also been quick to notice the trend and have been quick to capitalise by registering thousands of fake domains designed to impersonate Zoom and other video conference brands. They have also been using them to send out phishing links.

With the majority of office employees working remotely, receiving Zoom invites or even seeing reminders in their calendar for upcoming Zoom meetings has become a daily occurrence.

It is not just phishing via email that has taken off. People working from home usually have several communication channels they use to interact with colleagues, customers, partners and friends. These encompass everything from messaging apps to social media and everything in between.

Pulling on Emotions

Criminals are very good at crafting messages in a way that pulls on people’s emotions. This can be fear, greed, curiosity, urgency, helpfulness or any other emotion. One of the biggest reasons for this can be understood by Daniel Kahneman who stated in his book, “Thinking, Fast and Slow” that there are essentially two types of thinking the human brain undertakes.

System one is referred to as fast thinking and largely works automatically and effortlessly via shortcuts, impulses and intuition. It is fast, but also error prone. System two is also known as slow thinking. It takes time to analyse, reason, solve complex problems and requires people to exercise self-control. It is slow, but reliable.

A good criminal pulls on emotions because it is a surefire way to get people into system one thinking, where they will carry out an action before thinking about it.

Think about it. When was the last time you received a scam or phishing attack and the sender was polite and ended with, “please respond whenever is convenient, there’s no rush”?

It’s why an inflammatory Tweet or Facebook post receives so much attention and so many responses, even though we often know we should just ignore it. It just presses our emotional buttons and we need to say something.

So, it becomes difficult to reign people in — even the most security conscious people can be fooled by a WhatsApp message which pops up saying, “Why aren’t you in the meeting? We’re all waiting for you. Click here to join.”

Not a Theoretical Risk

The security industry has been guilty in the past of over-hyping issues. But social engineering threats are very real. If we look at the growth of ransomware over the years, it has become a huge criminal cash cow.

Most ransomware these days is delivered via phishing across multiple channels, hitting organisations across all industry verticals and of all sizes. Nearly a year ago, Travelex was hit by ransomware which resulted in the business being down for several weeks before they recovered. Unfortunately, its woes didn’t end there. With the pandemic hitting and many countries going into lockdown, the organisation didn’t get a chance to recover and went into administration later in the year.

Down under in Australia, the CEO of a hedge fund was tricked into clicking on a phishing email disguised as a Zoom invite. The click gave criminals access to the CEO’s email, which allowed them to send emails posing as the CEO authorising payments amounting to nearly $8m. And while the hedge fund was able to recover most of the money, the reputational damage was so severe that its main fund pulled out, forcing the hedge fund to shut down.

The fact of the matter is that social engineering attacks are only increasing and becoming the main thrust of cybercrime, which are having far greater impact on victim organisations.

Ways You Can Stay Safe

Staying safe against these attacks is increasingly difficult, not just from the increased sophistication of attacks, but the sheer volume of attack avenues that are available to criminals, ranging from email inboxes, social media accounts, chat apps, sms and phone calls.

1. Security Awareness Training

Security awareness training should be raised to all users from the most junior all the way to the most senior executives. The variety and impact of these attacks should be explained and mechanisms provided so that users can quickly and easily report any suspicious activity for the security team to investigate.

2. Gain Visibility

Security teams need to be able to obtain visibility into all of their organisation’s communication channels. For most organisations, too many channels are kept in the dark, so often by the time a breach is detected, it is too late.

3. Real-Time Threat Detection

All critical accounts, including marketing and executives, need to be monitored continuously for suspicious activity and messaging. In addition to scanning all files, attachments and links for malware, non-technical social engineering threats should also be sought out.

4. Incident Response

A layered response approach needs to be put in place so that any threats detected can be removed immediately.

** Optrics Inc. is an Authorized KnowBe4 partner


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Here’s how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry
Go Phishing Now!

 


Find out how affordable new-school security awareness training is for your organization. Get a quote now.


The original article can be found here:

https://blog.knowbe4.com/running-headfirst-into-a-breach

About the Author: Shannon Lewis

Leave a Reply