The latest methods cyber-criminals are using

The latest methods cyber-criminals are using to make a fool of you
(Image credit: TheDigitalArtist / Pixabay)

April Fool’s Day saw everyone from large global brands to friends and families play jokes on each other. The month may have started on a lighter note, but the ongoing cybersecurity threat to both businesses and individuals is no laughing matter. While organizations spent time admiring the best pranks, cyber-criminals were upping their game even further to identify and target victims through new and innovative methods.

About the author

David Higgins is EMEA Technical Director at CyberArk.

Traditionally, one of their preferred tactics has been phishing. The social engineering technique has been used successfully for years to coax corporate employees – as well as unsuspecting consumers - into handing over sensitive information such as payment details or passwords. The level of sophistication of these attacks has drastically increased however, in the context of COVID-19.

IT management teams need to be prepared for the huge amount of innovation coming from the cybersecurity industry currently. That includes being mindful of emerging tactics, and how they and employees can they protect against them.

Deepfakes as a growing threat

We know the success of a phishing attack relies on credibility. Cyber criminals rely on people believing they are someone else to gain access to networks, whether it’s via a credible-looking email coming from a supposedly legitimate source, or a fake video message spoofing a trusted colleague. This is why deepfakes are raising concerns – anyone can choose to look like someone else, with apparent authenticity.

In fact, the FBI warned earlier this year that malicious threat actors will ‘almost certainly’ be using deepfakes as a tactic to advance their cyber operations over the next twelve to eighteen months. Deepfake technology has the potential to change the phishing landscape completely because it allows threat actors to move beyond text, and take advantage of the deep level of trust that comes with video or verbal communication.

Deepfake videos have already been used successfully to spread disinformation, mostly political in nature, and it’s only a matter of time before this technique is used to achieve other goals. The highly-competitive nature of business means that there’s also a strong possibility that we’ll see a rise in disinformation campaigns intended to discredit rivals, such as that by telecoms group Viettel.

It’s time for IT teams to understand the threat this technology poses to their business and put measures in place to educate about deepfake attacks, as it’s likely they will be targeted using these tactics in the near future.

VoIP ingenuity proving successful

Vishing is yet another example of the ingenuity of cyber criminals and the constant evolution of their tactics, techniques and procedures.

Defined as unsolicited phone calls or voice messages fraudulently made by someone purporting to be a trusted service or colleague, vishing is becoming increasingly common as attackers use voice over internet protocol (VoIP) technology to make these calls over the internet, rather than having to use an original phone line. The volume of such attacks has drastically increased during the pandemic too, with the UK’s National Cyber Security Centre (NCSC) warning of attacks of this kind in its recent advisory report on working from home safety.

We know vishing attacks are already proving successful too, with hackers famously using the tactic last year to target, and successfully control, the Twitter accounts of CEOs, business, celebrities and politicians, including Joe Biden, Jeff Bezos, Apple and Uber.

Voice adaptation technology to fool victims

We already know false representations aren’t limited to just the video format. Yet, above and beyond vishing, many hackers are experimenting with voice adaptation software which allows them to mimic the voices of contacts known to victims when conducting audio-based phishing attacks, such as via phone calls or even via audio files.

This software is opening up the number of attack vectors available to malicious actors and IT teams need to be wary of these new avenues. Social engineering techniques are constantly being developed to lure unsuspecting employees into handing over money, information and credentials, which is hugely worrying considering tools such as voice adaptation technology are becoming accessible to anyone and everyone.

BEC and phishing attacks are still causing havoc

35% of businesses globally experienced spear phishing in 2020, and 65% faced BEC (business email compromise) attacks. These techniques may have been around for a long time, but they’re still the most powerful tool in a cyber criminal’s arsenal and people continue to fall for them.

BEC attacks are among the most damaging online crimes, and the NCSC found they were the main cause of cyber insurance claims in 2019, which isn’t surprising considering how often they successfully target organizations of all sizes. But, why are people still falling for them? The answer is that hackers rely heavily on technology innovation and stolen credentials to make their attacks far more sophisticated that we’re used to seeing. The introduction of greater variety – and novelty – to these attack routes increases their chances of success substantially.

Protecting your business with an ‘assume breach’ mentality

Cybercriminals have the upper hand, with businesses still falling foul to social engineering techniques. It’s time for organizations to take charge of their cyber security strategies and adopt an ‘assume breach’ mentality.

The best way to start a strong, multi-layered approach to cyber defense is by being proactive, not just reactive, in the protection of the sensitive credentials that attackers seek the most. Above all, organizations should prioritize three measures to reduce a cybercriminals’ change of phishing success: AI-based detection tools to identify vishing and deepfake attacks, privileged access management policies to restrict access to sensitive areas of the network, and employee education to ensure they remain vigilant to all possible threats.

David Higgins
EMEA Technical Director

David Higgins, Senior Director, Field Technology Office at CyberArk.