A recent report reveals a massive 667% increase in spear-phishing attacks due to the current pandemic, with over 9000 phishing attack campaigns, related to COVID-19, being detected in March versus just over 1100 in February and only 137 in January. These attacks are taking on all forms including; brand impersonation, business email compromise, scams and even blackmail. *
Organisations like yours have asked traditional office-based employees to work from home. The potential for cyber criminals to get your users to react to these types of spear-phishing attacks is high due to the coronavirus theme being exploited and all organisations need to ensure their users remain vigilant.
Is your newly formed remote workforce armed with the knowledge to keep themselves and your network safe? Watch our webinar below and learn:
About the tactics the bad guys are using now to exploit COVID-19
Why remote workers are an easy target for cyber criminals
How to enable your last line of defence with tools and training
Why security awareness training is critical within your security strategy
Now more than ever Security Awareness Training is vital for your remote employees and your network.
As cybercrime continues to surge, security leaders must understand that there is no such thing as a perfect, fool-proof, impenetrable secure environment. Many organisations fall into the trap of trying to use technology as the only means of defending their networks and forgetting that the power of human awareness and intervention is paramount in arriving to a highly secured state.
Every security leader faces the same conundrum: even as they increase their investment in sophisticated security orchestration, cybercrime continues to rise. Security is often presented as a race between effective technologies and clever attack methodologies. Yet there’s an overlooked layer that can radically reduce an organisation’s vulnerability: security awareness training and frequent simulated social engineering testing.
Verizon’s 2019 data breach investigation report shows that phishing remains the #1 threat action used in successful breaches linked to social engineering and malware attacks.
These criminals successfully evade an organisation’s security controls by using clever phishing and social engineering tactics that often rely on employee naivety. Emails, phone calls and other outreach methods are designed to persuade staff to take steps that provide criminals with access to company data and funds.
Each organisation’s employee susceptibility to these phishing attacks is known as their Phish-Prone™ percentage (PPP). By translating phishing risk into measurable terms, leaders can quantify their breach likelihood and adopt training that reduces their human attack surface.
Do you know how your organisation compares to your peers of similar size? Download the KnowBe4 benchmarking report to find out!
You will learn more about:
New phishing benchmark data for 19 industries
Understanding who’s at risk and what you can do about it
Actionable tips to create your “human firewall”
The value of new-school security awareness training
A new report reveals a massive 667% increase in spear-phishing attacks due to the current pandemic, with over 9000 phishing attack campaigns, related to COVID-19, being detected in March versus just over 1100 in February and only 137 in January. These attacks are taking on all forms including; brand impersonation, business email compromise, scams and even blackmail. *
Many organisations like yours have asked traditional office-based employees to work from home and while technology allows that to happen, is your newly formed remote workforce armed with the knowledge to keep themselves and your network safe?
The potential for cyber criminals to get access to your users and to elicit a response to these types of spear-phishing attacks is high due to the coronavirus theme being exploited and all organisations need to ensure their users remain vigilant.
Cyber-attacks focus on employees as targets – Phishing attacks remain the single-most used attack vector to allow the bad guys direct access to your organisation’s endpoints, credentials, applications, and data. If a phishing email is presented to one of your employees, it means your security solutions haven’t detected it as malicious, leaving the employee to be your last line of defence.
Employee’s aren’t thinking about organizational security – Think about it; your average remote worker is sitting at a make-shift desk, trying to balance helping their kids with distance learning assignments and attending online meetings. They’re learning new digital workplace platforms, applications, and processes before they even shower for the day. Security is the last thing on an employee’s mind.
Attacks and scams are increasingly aligning with remote working – Cybercriminals conjure up scams that seem familiar to users. The use of shipping, billing, and banking stories, as well as the use of impersonated domains, business, and people, all have traditionally worked in favour of the bad guy. But, new scams are being moulded around the current work circumstances. For example, we’ve recently seen the massive growth in Zoom-related attacks simply because of Zoom’s increase in popularity for business use. Organisations should expect this to trend.
How to ensure business resiliency, user productivity and security
Many circumstances and compliance obligations require organisations to activate or rapidly extend remote access capabilities as part of a business continuity strategy. Beyond impacting user productivity, this emergency workplace shift can stress IT infrastructure and operations. With advanced planning, crises that require immediate, increased and varied remote access capacity should not increase threat exposure, cyberattack and data leakage risks.
Here are some important Secure Access Emergency Readiness tips to ensure business continuity, operational efficacy and protected accessibility.
Identify key applications and resources, whether on-premises or cloud, that will require increased capacity and apply to an emergency capacity plan.
Explore application and security tool license and capacity shifting options set in advance with your vendors to handle burst utilisation.
Review and maintain application, data and role mapping to ensure users only access the resources they need, and have processes in place to quickly respond to user or role escalation and ad hoc privileged access and revocation.
Consider virtual and cloud environment deployment and clientless mode to allow for more rapid on-demand deployment and scalability.
Establish Disaster Recovery (DR) sites to provide secure access services in case of a primary site outage or failure and explore Secure Access solutions’ DR options for active/active or active/ passive modes.
Build, publish and review emergency remote work guidelines, resources and communications.
Activate advanced secure access usability features for streamlined access, such as: always-on, per-application and simultaneous tunneling, configuration lock down, clientless operation and online portals.
Ensure emergency means to simulate on-premise access, including Layer-3 access to a specific subnet, HTML5 access to local machines, or Virtual Desktop Infrastructure by privileged users and technicians.
Enforce endpoint compliance policy and activate self-remediation capabilities to reduce phishing and ransomware threats introduced by increased remote users and potential vulnerable devices.
Invoke mobile device security options, such as mobile VPN, device security, segregating corporate apps and information, and data encryption to allow for broader for corporate and personal device use.
Utilise Adaptive Authentication and User Entity Behaviour Analytics (UEBA) to better understand and react to new user/device usage, as well as unwanted and anomalous activity.
Leverage usage analytics, bandwidth “throttling” and optimised gateway selection capabilities to better distribute workloads and to deliver “essential” applications to users without performance degradation.
In a world where natural and man-made disasters occur, we want to help keep your business running effectively and securely so you can focus on what’s really important – and keeping your employees, friends, and family safe. If and when these unplanned events and disasters intensifies, organisations must adjust for increased stay, connect and work from home mandates. Beyond impacting user productivity, this emergency workplace shift can stress IT infrastructure and operations.
Download the Pulse Secure Solution Brief
Download the Secure Remote Access Emergency Readiness Solution Brief hereto get these important tips to ensure business resiliency, user productivity, and continued secure access.
CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorised online transfers or sending out confidential tax information.
Also known as “Business Email Compromise” and BEC is defined as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds.”
The Four Attack Methods
Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:
Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.
2. Spear Phishing
This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. A spear phishing email generally goes to one person or a small group of people who use that bank or service. Some form of personalisation is included – perhaps the person’s name, or the name of a client.
3. Executive Whaling
Here, the bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalisation and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.
4. Social Engineering
Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organisational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Who Are The Main Targets?
The CEO isn’t always the one in a criminal’s crosshairs. There are four other groups of employees considered valuable targets given their roles and access to funds/information:
The finance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.
Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organisation, manages the employee database and is in charge of recruitment. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal organisations.
Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus, executive accounts must receive particular attention from a security perspective.
The IT manager and IT personnel with authority over access controls, password management and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organisation.
Here Are Eight Prevention Steps
Many steps must dovetail closely together as part of an effective prevention program:
Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access.
Phishing, spear phishing, and CEO Fraud are all examples.
What is a social engineer?
OK, so who are these people? It could be a hacker in the USA who is out to do damage or disrupt. It could be a member of an Eastern Europe cybercrime mafia that is trying to penetrate your network and steal cash from your online bank account. Or, it could be a Chinese hacker that is trying to get in your organisation’s network for corporate espionage.
Top 10 techniques used by social engineers
Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:
Pretexting – An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It’s a false motive usually involving some real knowledge of the victim (e.g. date of birth, Social Security number, etc.) in an attempt to get even more information.
Diversion theft – A ‘con’ exercised by professional thieves, usually targeted at a transport or courier company. The objective is to trick the company into making the delivery somewhere other than the intended location.
Phishing – The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.
Spear phishing – A small, focused, targeted attack via email on a particular person or organisation with the goal to penetrate their defenses. The spear phishing attack is done after research on the target and has a specific personalised component designed to make the target do something against their own interest.
Water-holing – This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.
Baiting – Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labelled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.
Quid pro quo – Latin for ‘something for something’, in this case it’s a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support. They will call everyone they can find at a company to say they have a quick fix and “you just need to disable your AV”. Anyone that falls for it gets malware like ransomware installed on their machine.
Tailgating – A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorised user to open and pass through a secure entry and then follows right behind.
Honeytrap – A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.
Rogue – Also, Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware, rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is a very popular and there are literally dozens of these programs.
You may have heard of Norton antivirus, published by Symantec. The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead.
“You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.”
Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme. This means it does not matter if your workstation is a PC or a Mac. The last line of defence is… you guessed it: YOU!
How can you prevent attacks?
We’ve pulled together some resources to help you defend against social engineering attacks. A good place to start is ensure you have all levels of defense in depth in place. Keep reading below to find out how you can make yourself a hard target, get additional content for yourself and your users and stay up to date with social engineering in the news via our blog.
Social engineering attacks, including ransomware, business email compromise (BEC) and phishing, are problems that can never be solved, but rather only managed with a focus on security awareness training.
Run frequent simulated social engineering tests to keep users on their toes with security top of mind
Did you know that 77% of successful social engineering attacks started with a phishing email?
Find out what percentage of your employees are Phish-prone™ with your free Phishing Security Test. Plus, give them point-of-failure training using our Social Engineering Indicators feature. Go Phishing Now!
Social engineering tip sheet
The below infographic will show your users what to watch out for in emails. We highly recommend you print it out, it’s a great at a glance reminder.
Many modern attacks target the endpoint. And if those endpoints have admin rights then the attack is likely to be successful, and potentially devastating, buthow do you remove admin rights and implement a least privilege policy without affecting your users? Ifhandled poorly you’re just putting up barriers that makes it harder for people to do their jobs and presents you with a support headache.
Privilege Manager can automatically enforce your least privilege policy without impacting user productivity by:
removing admin rights
elevating your authorised application privileges automatically
isolating untrusted and unknown applications
Watch our 30-minute webinar and we’ll show you how Thycotic Privilege Manager helps strike the balance between security and productivity.