2021 has been a year full of everything from Kim and Kanye getting divorced, to a plethora of new social engineering attacks. Unlike the former, the latter issue may never really be over. What attacks did this year bring? More importantly, how can we protect ourselves, our companies, and our loved ones from these attacks? With this in mind, let’s dive in with a look at the highlights.
Robinhood Data Breach
Robinhood is a commission-free investing app. In November 2021, an attack was launched against it that began with a vishing call. The attacker called the customer service line and had the call escalated. Eventually, the attacker was able to access some of the trading platform’s customer support systems. This attack resulted in email addresses of around five million people being exposed. The full names of a separate group of two million people were also accessed. Additionally, about 310 people had additional personal information breached, such as dates of birth and zip codes.
$35 Million Deepfake
Deepfakes have been an increasing topic of discussion over the last few years. WhatIs.com defines deepfakes as “a type of artificial intelligence used to create convincing images, audio and video hoaxes.”
As an illustration of deepfake danger, consider this recent bank heist. Using AI-enhanced voice simulation, attackers stole $35 million from a United Arab Emirates bank. The manipulated audio was used to influence a bank employee into thinking he was transferring money as part of a legitimate business transaction. The attacker claimed to be the director of a large company who had previously spoken with a manager of the target company. The attacker combined the deepfake audio with phishing emails that appeared to be from the company and its lawyer. Combined, these techniques convinced the manager that the firm was in the process of a large business deal worth $35 million. Due to this, the manager initiated the money transfer.
A review of 2021 wouldn’t be complete without discussing COVID-19-related attacks. The Washington Post reported that pandemic-related phishing attempts in June increased by 33 percent. Significantly, it pointed out that this spike occurred in tandem with a surge of Google searches for “delta variant”. We’ve seen these attacks cover everything from test results to unemployment claim scams. The production of a vaccine brought a new wave of attacks involving this exact factor.
As reported by The Washington Post, 2021 has seen phishing campaigns posing as corporate human resources departments and requesting individuals to submit information about their vaccination status. These emails sometimes contain links to fake login pages with the goal of obtaining the employees’ credentials. Others request proof of vaccination. Vaccination cards contain information that attackers may find useful, such as your date of birth. As this pandemic continues to evolve, we can be sure the attacks will evolve with it.
How to Protect Yourself
While attackers and their tactics continue to evolve, the basics of keeping ourselves protected remain the same. For the sake of brevity, we will confine our tips for this month to the kinds of attacks we have discussed in this article.
Use a Password Manager
One key to maintaining the security of your accounts is to never reuse passwords. In view of this, we strongly encourage the use of a password manager. This will help you keep your passwords organized, varied, and strong. Want to learn more? Start here.
Enable Two-Factor Authentication
Implementing two-factor authentication is a simple, but effective way to protect your accounts from malicious actors. If you aren’t sure where to start, we’ve included a link here to help you.
How to Spot a Deepfake
Low quality deepfakes are quite easy to identify. In particular, keep an eye out for bad lip synching, unnatural eye movements or blinking, and flickering around the edges of the transposed image. If unsure, look at the finer details such as hair and jewelry to see if you can spot it. However, deepfake technology is evolving so, by all means, stay vigilant.
When in Doubt, Verify
If you are unsure if the video you’re watching is a deepfake, a link in an email is real, or if a call you received is legitimate, verify, verify, verify. For instance, you can identify potential phishing emails, by hovering over the link to see where it leads. In addition, be sure to check the sender and look for any wording that encourages you to take an action quickly. For a more in-depth discussion on protecting yourself from phishing emails, read our article here. If you are trying to verify a call you received, take a moment to see if the information the caller is requesting makes sense. For example, a bank should never ask you for your routing number. Ask the caller questions until you are satisfied the call is legitimate. For more tips on identifying vishing, read our tips here.
Education is Key
As always, education is the key to protecting yourself, your loved ones, and your company against potential social engineering attacks. In view of this, the best way to ensure lasting behavioral change is to teach employees how to recognize and respond to vishing threats. After all, it only takes one attack to potentially devastate an entire company.Please contact our team today for a quote.