New hacking techniques and a relaxed attitude towards cyber security have helped to drive a huge spike in social engineering attacks. This comes from research by leading cybersecurity firm Proofpoint, highlighting that businesses should be optimising their phishing prevention measures.
The researchers said that attempts to dupe users into providing personal details went up by over 500% during 2018’s second quarter, compared to the first three months of the year.
A reminder of the continued importance of phishing prevention
The second quarter threat report stated: “Social engineering is increasingly the most popular way to launch email attacks. Criminals continue to find new ways to exploit the human factor”.
The use of cryptocurrency, fake antivirus and browser plugins all fuelled the rise in attempts to fool users through email, the report said. One especially worrying type of scam is CEO fraud, otherwise known as business email compromise. It involves fraudsters spoofing a senior executive or CEO’s company email account to impersonate them. This enables them to more easily deceive financial departments into executing payments.
This type of fraud may entail a CFO at a cybersecurity start-up receiving an urgent email from their CEO, while the latter happens to be on a business trip. The CEO may order the CFO to transfer a large amount of funds that morning or afternoon, providing a supposed justification – such as a need to lock in a discount price with a supplier – and bank details.
Such scams are often so successful because of the identity of an authority figure that the fraudsters adopt. It meant that according to the Federal Bureau of Investigation (FBI), scammers stole around $3.1 billion from over 22,000 victims through this type of fraud, between January 2015 and June 2016 alone. This represented a 1,300% increase in losses.
Proofpoint advised agencies and companies to assume that users will click on malware and to implement backup security systems to prevent hacking attempts from succeeding.
What can firms and departments do in response to such risks?
Training is crucial in ensuring your organisation doesn’t become vulnerable to attack. By educating staff members on common fraud attempts and how to spot them, you mitigate risk.
Other options available are to run penetration tests; companies like The Anti-Social Engineer exist to run social-engineering experiments on your company. They can identify weaknesses before real hackers can exploit them.
Some US government departments have already adopted measures like the above. For example, the Department of Homeland Security’s top IT official, John Zangardi, said it had received over 30 million emails between December 2017 and May this year.
He revealed during the Billington Cybersecurity summit that about 21% of those emails were malicious. 10 employees clicked on the link, but the department’s network escaped infection. He added that the workers “got a little extra training” in response to the threat.
An effective way of verifying the identity of scammers is by using biometrics and digital identity. Our phishing prevention technology uses facial recognition and document validation to prove someone is whom they claim to be. To discover how our cost-effective solution can be easily deployed, take a look at our phishing prevention brochure.