Over the past few months, threat intelligence teams around the world have been tracking a significant increase in phishing attacks. These attacks coincide with a temporary drop in more traditional attacks, indicating that attackers, like workers, are modifying their efforts in order to accommodate changes due to the pandemic. In fact, our recent Global Threat Landscape Report details this and more.
More people are now working from home, and they are connecting back into the office from their home networks, and quite often, using their personal computers. Attackers are looking to target these users’ devices as a way into the corporate network or cloud. They attempt to lure unsuspecting victims into going to malicious sites, clicking on malicious links, or providing personal information via email or over the phone. They do this by impersonating legitimate organizations, such as the Centers for Disease Control and the World Health Organization, and offering fake informational updates, discounted masks and other supplies, and even promises of accelerated access to vaccines. Similar attacks target healthcare workers, political movements, or even the recently unemployed using the same sort of tactics.
Of course, such tactics are not new. We regularly see spikes in social engineering tactics around major events and catastrophes. Criminals respond to hurricanes and other natural disasters by pretending to be relief organizations, and major sporting events such as the World Cup where they lure victims with promises of discounted tickets or free streaming services.
The reason that social engineering – an attack strategy that uses psychology to target victims – is so prevalent, is because it works. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), nearly one-third of all data breaches involved phishing in one way or another. Cybercriminals are opportunistic, and they constantly prey on the only vulnerability that cannot be patched – humans.
It is a perpetual bombardment, every minute of the day, 24x7x365. And the odds are in the favor of the attacker, because they only need one unsuspecting person to click on a malicious link or attachment to open up the gates into the corporate network. And the truth is, nobody is immune – from entry-level employees, contractors, and interns at one end, on up to the C-Suite at the other. Business partners can also be indirect targets, mining them to obtain information to soften up targets. And for those of us now connecting to the office through our home networks, even our children are potential targets. Even seasoned security professionals get caught off-guard, in part because attack tactics have become more sophisticated.
The goal, of course, is to gain access to our networks and sensitive information, either to steal it, corrupt it, or hold it for ransom. Most often, however, spear phishing is just the tip of the attack, and can easily go unnoticed by a victim who has been compromised.
Of course, cybersecurity awareness has grown – up to 95% of employees now receive phishing training so they can learn to spot suspicious emails. This is important progress, as most breaches start with a phishing email followed by an unsuspecting employee who opens a malicious file or clicks on a bad link. Despite this training push, however, the number of employees that can tell the difference between a legitimate email and a malicious one remains frighteningly low. That’s because cybercriminals are experts at the art of masquerading, manipulating, influencing, and devising lures to trick targets into divulging sensitive data, and/or giving them access to our networks and/or facilities.
There are two challenges at play here: employees are not taking cybersecurity seriously, and cyberattacks are getting even more sophisticated. For example, there are still far too many employees who never change their passwords, and two-thirds who still do not use a password management tool. At the same time, years of training people to identify phishing emails, avoid clicking on suspicious links, and follow best practices with their passwords have not panned out the way InfoSec professionals would have liked.
The thing is, people know they need to use complex passwords, but they still use obvious choices that hackers can easily guess or discover by simply browsing a target’s social media sites, such as their pet’s name, the name or birthday of their child, or the year they graduated from college.
The problem is not awareness – it is rooted in human behavior. Safe password practices – using long passwords with non-sensical characters and numbers, for example – take extra effort to implement. And when it comes right down to it, employees have shown that, for whatever reason, the extra effort is not worth their time and energy.
The first step is to help employees feel like they are part of the security team. Helping them understand the repercussions of a security event, and how it can personally affect them, is a good place to start. Seeing connections such as these – between safe cybersecurity practices and the positive impact they feel they are making when everyone is engaged and responsible – should lead to direct improvements in how people behave when they are confronted with suspicious cyber behavior or questionable email or websites.
Next, give employees the tools they need to succeed. For example, in most organizations there is typically no easy way for employees to manage a multiplicity of complex passwords. If they choose to use a password management program, one which generates and manages complex passwords, it is only because of their own initiative.
And finally, change the process by taking as much of the risk out of their hands as possible. Organizations need to update email security gateways with sandboxing and content disarm and reconstruction (CDR) tools to eliminate malicious attachments and links. They need to use web application firewalls to secure access to websites and identify and disable malicious links or embedded code or deploy cloud-based solutions and endpoint detection and response (EDR) tools so users are protected both on- and off-premise. They also need to add proactive access controls to ensure that connections originating from compromised home networks and personal devices can’t be used as a conduit for an attack.
Regardless of the details, the most important key to improving an organization's risk profile is still getting employees involved, one way or another, in accepting and fulfilling their security responsibilities. With training, the right tools, and effective processes, including support from top-tier company leaders, security teams can help everyone take cybersecurity seriously — and take a serious bite out of cybercrime.