This link to your blog post 404's
Hardly a day goes by without a news alert about the
latest HUGE data breach. It’s so commonplace today that it rarely rates showing
at the top of the news. In a newspaper, the announcement of the latest breach
may be on the third page. We’ve become numb to them. And that’s a big problem.
For sure, much of our personal information is out there,
including PII, phone numbers, home and work address locations, and a ton of
very specific information related to us. A recent CISO told me he was not only
surprised that voice-based phishing calls were over half of his total phishing
volume reported to his SOC but that he could not readily understand how the
phishing calls understood which of his co-workers were at home (and called
their cell phone numbers) and which were back at work (and called the
facility’s main phone number and knew which internal extension to ask for). It
was as if the attackers had an up-to-date call list of his employees, even
though there wasn’t one to his knowledge.
I’ve had other IT employees remark that they were amazed
how the spear phishing scammers knew exactly who to target in accounting or
payroll to send their latest business email compromise (BEC) scam. The victims
and their roles within their organization were not particularly well-known
outside the company, and yet they were still successfully targeted by the exact
type of message that made the request seem more legitimate.
I’ve had friends who showed me SMS-based phishing
messages that contained their names and other personal information, showing the
person trying to scam them certainly had relevant personal information. We all
know that not only are attackers stealing and abusing other hackers’ piles of
stolen information but that we are…being the social creatures that we are, revealing
all sorts of good information about ourselves and our work positions which
hackers gladly use to their advantage.
Every data breach stealing someone’s personal information
becomes a new potential repository for information that can be used in a targeted
phishing attack. Every hospital data beach becomes a new opportunity for
hackers to target previous patients. Every website breach becomes another trove
of stolen data that can be used by scammers to better target more potential
victims. Most business-focused phishing scams lead to a loss of value by the
targeted business, many times via business email compromises and ransomware https://blog.knowbe4.com/new-report-reveals-that-ransomware-and-business-email-compromise-attacks-ca...
Sometimes it can be personally embarrassing. For example,
the 2015 Ashley Madison website breach led many previous members of the private
service into being extorted (https://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/).
Any information you share can be used against you, many times, by many
Our information has been out there for a long time. But
there is growing evidence that malicious hackers are finally using that
information to commit more cybersecurity crimes. Here are two of the recent
cybersecurity industry is seeing a drastic increase in phishing and social
engineering attacks in general, we are also seeing a big increase in very
targeted spear phishing, and these types of information thefts, for sure, will
increase not only those types of targeted spear phishing attacks but the
success of them.
That is why it
is crucial that every organization create a personal and organizational culture
of healthy skepticism, where everyone is taught how to recognize the signs of a
social engineering attack no matter how it arrives (be it email, web, social
media, SMS message, or phone call), and no matter who it appears to be sent by.
Being suspicious of only emails coming from people we don’t recognize or only
from strange, unknown email addresses is not enough.
Scammers are often compromising our trusted business partner’s and friend’s email and social media accounts and looking for and using past communication threads that can be used going forward in a new, highly targeted spear phishing attack. You must teach everyone around you how to spot the signs of a scam message, as summarized by the figure below:
messages have 3 traits in common. First, they arrive unexpectedly. The user
wasn't expecting it to arrive. Second, the sender is asking the user to do
something new and unexpected for the first time from that sender. For example,
click on a URL link, download a document, log in to a website, get gift cards,
send private, confidential information, etc. Third, and this is definitely a
scammy sign, the sender says or writes something that is supposed to stress the
user to do that requested action right away. Examples include threats that the
user's account will be suspended if they don't take action, that the user will
be causing their organization to lose business or to lose a significant
discount, or otherwise, something negative will happen if the user does not
take action now.
Any message, no
matter how it arrives, if it includes these three traits, should be considered
suspicious until otherwise proven legitimate, especially if performing the
requested action could hurt the person’s or their organization’s interests, if
Users should be
trained on how to recognize the signs of a potential social engineering scam,
and how to verify its legitimacy one way or another (e.g., call the requestor
directly on a known good phone number or go to the website directly at a known
good, legitimate, URL, etc.), and how to treat if it is determined to be a
At home, you'd
probably delete it and maybe tell the rest of the family and your friends, so
they don't become victims. At work, the scam should be reported to the Help
Desk, IT, IT Security, or whatever is the appropriate way to report social
engineering scams. You want to train people...give them awareness about the
common traits of most scam messages, examples of different types of scams, and
what to do when they suspect one.
well...and most organizations ARE NOT focusing enough on security awareness
training, it can prevent social engineering scams whether they are the regular,
run-of-the-mill, misspelled variety, or a sophisticated, thoughtful, scam
coming from a sender who the receiver might otherwise trust a whole lot. We
have to communicate to everyone that they need to have a culture of healthy
skepticism. The Internet, email, SMS messages, and phone calls cannot be
trusted by default anymore. It's a different world, and the growing trove of stolen
personal data is just making it even less trustworthy.
Be appropriately skeptical.