2024 State of Vishing Report
In 2019, 50% of all global organizations fell victim to ransomware, compromised accounts, or spoofed credentials, many due to falling for a phishing attack. In the same year, Australians reported $61.6 million lost due to investment scams. As alarming as these statistics are, we expect cybersecurity threats for 2020 to increase. Indeed, with the start of this new year, cybersecurity experts have been coming together to predict the targeted attack vectors and how to protect against them. Some of the most highly discussed topics include an increase in deepfakes, ransomware, and the standardization of MFA (multi-factor authentication).
As technology advances, we’re hearing the term ‘deepfake’ more frequently. This word encompasses everything from 1920’s filmmakers animating earthquakes, to the modern day politicians “saying” controversial things. At the core, today’s deepfakes use AI-based technology to create fake videos and audio that look and sound real.
Deepfakes are not all bad. In fact, there is a whole online community that use deepfakes as an art form. Even snapchat has a filter that lets us combine a celebrity’s face with our own. This can make deepfakes appear fun and harmless, and they can be! However, not all of them are. For example, many of us remember the altered video of Nancy Pelosi. This video was slowed down to make her appear to be intoxicated. Unfortunately, the altered video was widely circulated, and damage was done to Pelosi’s reputation before the truth became known.
The ease and accessibility of deepfakes has opened a new realm of potential social engineering attacks that corporate cybersecurity systems may not be ready for. Cybercriminals can utilize deepfakes easily and without having to go through the grind of targeting your systems. By utilizing things like social media and email, an individual doesn’t necessarily have to have any special “hacking skills” to deploy these cyber-attacks. What we need to be aware of though, is that a skilled social engineer can leverage deepfakes during an attack in ways that make them much more real. These attackers play not only what you see and hear, but also on how you feel.
The opinions on how much deepfakes will affect the cyber community vary. Marco Rubio compared the threat to that of a nuclear weapon, while Tim Hwang doubts deepfakes will affect the community as much as some suspect. While we wait to see how much of an affect Deepfakes will have, Chris Hadnagy (aka @HumanHacker) of Social-Engineer, LLC. warns, “As the technology gets easier to use and expands from pictures to voice and other mediums, I think we will see an increase in these attacks.”
Whatever the threat level ends up being, without a doubt, deepfakes are something we need to be aware of and guard against. Because of the threat deepfakes present, in September of 2019 a bill passed the house committee to attempt to combat deepfakes. Since they are becoming more advanced and the technology to produce them more readily available, they will become harder to identify. Here are some tips that can help you spot them:
In 2018, there were 53 reported ransomware attacks on local government entities. In just the first few months of 2019, there were already 21 reported ransomware attacks on local county, city, and state government systems. Hadnagy says “We can watch a timeline of these (ransomware) attacks starting off using fear to motivate. Then, they became more targeted using multi-vector attacks, combining phishing and vishing. Now most recently, we see the use of social media making these attacks much more believable by specifically targeting people using their personal information and social contacts.”
2020 is sure to hold to this upward trend. We can clearly see that ransomware is becoming more common and more sophisticated as time goes on. How can you protect yourself and your organization from this ever-growing threat?
The FBI provides information to help everyone, from government entities to home networks, protect themselves from ransomware attacks:
The statistics above are from our October 2019 blog. For a more in-depth discussion on ransomware you can read the full article here.
By reviewing the trends that we saw in 2019, we could cut right to the chase and say that cyber-attacks will explode in 2020. But, what will be the new thing? Hadnagy had some thoughts, “It is easy to say, for instance, that The Cloud is the next vector, yet we see things like MageCart exploits and other browser-based exploits still existing. Can Cloud be exploited? Yes, for sure. Will it be? Yes, I am sure. But that is not the only vector to worry about, not when we see such a large amount of password reuse, no 2-factor authentication (2FA) and weak passwords still being used.”
With this ever-changing threat landscape, it is often hard to keep up with the ways to protect ourselves. In view of this, Hadnagy highlights steps that we need to immediately take to protect ourselves. One that he recommends is all businesses, including those that are small to medium size businesses (SMBs), should be using a multi factor authentication. Hadnagy suggests “…not just multi factor, but also password managers. Combined, it saves your accounts from being the low hanging fruit.”
Multifactor authentication and password managers are the keys to keeping your personal or company information secure. Employing these tools together will make your information more difficult to access, thus dissuading some attackers. To that end, there are many tools today that make these steps easy to implement. A quick google search will provide you with the top apps and managers available for your use. By all means, take advantage of these available tools and add this necessary layer to your security.
With this explosion of threats, cybersecurity is more important than ever. Significantly, one common thread is that these predicted threats attack the human wall of security. With this in mind, as an individual, stay informed on these attack vectors and protect yourself against them. And, as an employer, train your employees to be aware of these threats and know how to respond to them. We believe that one of the most effective ways to do this is through phishing and vishing training.
Is this training effective? Earlier this year a SECOM employee spoke to a person that did not think it was. He said his company does “a lot of social engineering training that is a huge waste of time”. But, was that really the case? He wasn’t aware that he had previously been tested by a SECOM employee (as requested by his company) and had given up information that his company flagged as sensitive.
After this initial test, he received more training and SECOM was tasked with testing him again. It was during this second conversation that the above quote was taken from. How did he do? First, he passed the second test with flying colors. Second, he refused to give the SECOM employee any information and shut the caller down efficiently and quickly, all according to the company standards. Third, he did so despite thinking that his training was ineffective.
As we’ve seen, 2020 has many cybersecurity threats to watch out for. But if you implement effective security training you can stay one step ahead of the criminals. And as the experience from our SECOM employee clearly shows, being aware of potential attack vectors and understanding how to guard against them is of great value.
https://www.csoonline.com/article/3293002/deepfake-videos-how-and-why-they-work.html
https://www.avg.com/en/signal/what-is-deepfake-video-and-how-to-spot-it
https://www.g2.com/categories/multi-factor-authentication-mfa
https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
https://www.recordedfuture.com/state-local-government-ransomware-attacks
https://www.social-engineer.com/training
https://www.social-engineer.com/social-engineering-penetration-test
https://www.csoonline.com/article/3400381/what-is-magecart-how-this-hacker-group-steals-payment-card-data.html
https://paleofuture.gizmodo.com/how-filmmakers-created-fake-newsreels-in-the-1920s-1832866878
https://www.youtube.com/watch?v=AmUC4m6w1wo
In the rapidly evolving digital landscape, no entity is immune to the pervasive threat of cyberattacks. The security breach at MGM Resorts highlights the vulnerability of even massive organizations. As
SMiShing Attacks in the News In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always
