Cybercrime used to be thought of as a teenager in their parent’s basement hacking into a corporate or government network. Today, cybercrime is a big business that funds organized crime and is used by rogue states for financial gain, intelligence gathering, and disruption of target states. The focus of this post will be on the danger posed to small and mid-sized businesses, not-for-profit agencies, and the general population.
Attacks are launched using a number of means but the two very effective methods are Phishing attacks and social engineering campaigns.
Phishing attacks are sent via e-mail and text message with the intent of getting the recipient to click on a malicious link or attachment or to engage them in an e-mail/text exchange to gain information. The message appears to come from a trusted source such as a bank, friend, or co-worker. That trust is used to get the recipient to click on the malicious link, open an attachment with malware, or provide some information such as a critical password or banking information. What makes phishing attacks so effective is the increased personalization of the initial message; it may include the branding of the trusted firm or an e-mail signature of the sender that looks authentic. When a phishing campaign is launched at many people, it only needs a small number of clicks or responses to be successful. Once the organization who launched the attack have success, they target the recipients to extract as much information or financial gain. If you’ve been the target of a successful phishing attack, the bad guys will be back again in the future
Social engineering is simply the use of deception to gain the trust of a target to steal something such as money or information. Social engineering has been used very successfully in several telephone-based fraud campaigns based offshore. In Canada, fraudsters launching robocalls posing as the Canada Revenue Agency defrauded Canadians using the threat of RCMP officers coming to collect on overdue taxes. This threat convinced people to give the fraudsters money over the phone. The campaign was successful because it effectively combined a trusted entity (Canada Revenue Agency) with an imminent threat (arrest by the RCMP) to cause a sense of panic.
The next blog post will give you some ideas on how to protect your business from these attacks and secure your information assets.