No one likes being made a fool of. But it’s our misfortune that cyber-criminals continue to raise their game, and make businesses and individuals alike look foolish through a constant spate of new cyber-attacks which, while innovative, could have been prevented. This April Fool’s Day will be no different, with threat actors targeting vulnerable victims.
Phishing has long been a preferred tactic for coaxing corporate employees into surrendering sensitive information, typically using social engineering techniques. But in the last year we’ve seen a level of sophistication and variation in phishing tactics that we’ve never seen before. Individuals and businesses globally are falling prey to new, innovative threats from unrelenting attackers every day.
So this April Fool’s Day, what tactics should IT teams and employees be looking out for? And how can they best protect their organizations from looking foolish?
Deepfakes: Innocent Prank or Growing Threat?
We know the success of a phishing attack relies on credibility. Cyber-criminals rely on people believing they are someone else to gain access to networks, whether it’s via a credible-looking email coming from a supposedly legitimate source, or a fake video message spoofing a trusted colleague. This is why deepfakes are raising concerns – anyone can choose to look like someone else, with apparent authenticity.
In fact, the FBI warned earlier this year that malicious threat actors will ‘almost certainly’ be using deepfakes as a tactic to advance their cyber-operations over the next 12 to 18 months. Deepfake technology has the potential to change the phishing landscape completely because it allows threat actors to move beyond text, and take advantage of the deep level of trust that comes with video or verbal communication.
Deepfake videos have already been used successfully to spread disinformation, mostly political in nature, and it’s only a matter of time before this technique is used to achieve other goals. The highly-competitive nature of business means that there’s also a strong possibility that we’ll see a rise in disinformation campaigns intended to discredit rivals, such as that by telecoms group Viettel.
It’s time for IT teams to understand the threat this technology poses to their business and put measures in place to educate about deepfake attacks, as it’s likely they will be targeted using these tactics in the near future.
Vishing: Another Trick in the Book
Vishing is yet another example of the ingenuity of cyber-criminals and the constant evolution of their tactics, techniques and procedures.
Defined as unsolicited phone calls or voice messages fraudulently made by someone purporting to be a trusted service or colleague, vishing is becoming increasingly common as attackers use voice over internet protocol (VoIP) technology to make these calls over the internet, rather than having to use an original phone line. The volume of such attacks has drastically increased during the pandemic too, with the UK’s National Cyber Security Centre (NCSC) warning of attacks of this kind in its recent advisory report on working from home safety.
We know vishing attacks are already proving successful too, with hackers famously using the tactic last year to target, and successfully control, the Twitter accounts of CEOs, business, celebrities and politicians, including Joe Biden, Jeff Bezos, Apple and Uber.
Voice: The Prankster’s New Vice
We already know false representations aren’t limited to just the video format. Yet, above and beyond vishing, many hackers are experimenting with voice adaptation software which allows them to mimic the voices of contacts known to victims when conducting audio-based phishing attacks, such as via phone calls or even via audio files.
This software is opening up the number of attack vectors available to malicious actors and IT teams need to be wary of these new avenues. Social engineering techniques are constantly being developed to lure unsuspecting employees into handing over money, information and credentials, which is hugely worrying considering tools such as voice adaptation technology are becoming accessible to anyone and everyone.
Spear Phishing and BEC attacks: A Tried and Tested Trick
In 2020, 35% of businesses globally experienced spear phishing and 65% faced BEC (business email compromise) attacks. These techniques may have been around for a long time, but they’re still the most powerful tool in a cyber-criminal’s arsenal and people continue to fall for them.
BEC attacks are among the most damaging online crimes, and the NCSC found they were the main cause of cyber insurance claims in 2019, which isn’t surprising considering how often they successfully target organizations of all sizes. But why are people still falling for them? The answer is that hackers rely heavily on technology innovation and stolen credentials to make their attacks far more sophisticated that we’re used to seeing. The introduction of greater variety – and novelty – to these attack routes, increases their chances of success substantially.
Outwitting the Tricksters to Protect Your Business
Organizations need to take charge of their cybersecurity strategies this April Fool’s Day to avoid being made a fool of by preying threat actors. This means adopting an ‘assume breach’ mentality. Ensuring the implementation of proactive controls to protect sensitive credentials – the ones that attackers increasingly seek to carry out highly-targeted attacks – is the start of a strong, multi-layered approach to cyber-defense.
Flattening the phishing attack curve specifically requires three things; firstly, the implementation of AI-based detection tools to identify fakes, such as vishing and deepfake attacks. Given these tools aren’t foolproof, they should be bolstered by authentication to verify the identities of those wanting network access, as well as privileged access management to keep the most sensitive information secure, and prevent hackers who successfully infiltrate network perimeters from accessing vital and valuable data.
Last but not least, employee training should remain a constant priority. Running mandatory training sessions on security awareness means employees, who are often the targets of these attacks, can remain vigilant and follow strong cyber-hygiene practices.
Falling foul to an April Fool’s day joke is easy. But falling prey to fraudsters is no laughing matter. Businesses must take this advice to make sure hackers don’t make a mockery of their security practices this April Fool’s Day.