The Equifax breach was announced in early September, but the long tail of its effects will be felt for years to come.
As the security industry continues to see phishing attacks and social engineering evolve, we will likely view this particular breach as one of the pivotal moments in cybersecurity, analogous to the rise of the ILOVEYOU virus in the early 2000s, the TJX breach of the mid 2000s, or the Target compromise of 2013. It is, perhaps, the moment when the entire modern world became a target.
According to the Identity Theft Resource Center, there were more than 1,100 data breaches disclosed in 2017 alone, but it is not just the volume of the records that are substantive, it is the types of information.
Just as with the Equifax breach, it is conceivable that someone could buy an executive’s social security number, salary for the past five years, tax returns, home address and the make and model of the last car they purchased for a couple hundred dollars. Researchers have found that criminals are creating central databases on the Dark Web that aggregate profiles around specific individuals.
What will this mean for phishing? First, as with the recent Netflix phishing scam is an example of how criminals can leverage a simple piece of information – such as a subscription to Netflix – to obtain credentials that can be used elsewhere, without the consumer being made aware of the threat.
Given the vast quantities of personal information contained within the Equifax data set, including credit cards and banking information, automobile and real estate transaction details, and employer data, expect to see a targeted set of attacks arise in 2018 that utilize sophisticated impersonations of business services and brands.
Additionally, executives are already one of the primary targets for spear phishing, which has given rise to the term “business email compromise” to differentiate it from other less targeted forms of email fraud.
The use of webmail services is ubiquitous; by combining these services with the kinds of information available to savvy attackers who have access to the Equifax data set, the sophistication of these impersonation attempts will also rise, as attackers will be able to answer identifying questions about their targets, reference former workplaces and colleagues, and build ever more convincing social engineering campaigns.
This sophistication underscores why businesses cannot rely on security awareness training to save their businesses from data breaches as it is impossible for workers to be vigilant 24/7. Employees are soft targets, particularly when criminals know intimate details about a person’s personal and professional lives.
Modern email security approaches will require some degree of automation. Research has shown that it is impossible for short-staffed security staffs to properly identify and remediate the 3,680 emails with threat characteristics that reach employees each week.
Automated solutions reduce the potential for human error in managing spear phishing attacks and help level the playing field against a highly sophisticated opponent. Security leaders must prepare themselves for an onslaught of highly targeted attacks.
Over the past few years, the corporate inbox has become the front line in the cybersecurity battle; with this data breach, expect to see increasingly sophisticated tactics being utilized against consumers and businesses alike.