Hardly a day goes by without a news alert about the latest HUGE data breach. It’s so commonplace today that it rarely rates showing at the top of the news. In a newspaper, the announcement of the latest breach may be on the third page. We’ve become numb to them. And that’s a big problem.
For sure, much of our personal information is out there, including PII, phone numbers, home and work address locations, and a ton of very specific information related to us. A recent CISO told me he was not only surprised that voice-based phishing calls were over half of his total phishing volume reported to his SOC but that he could not readily understand how the phishing calls understood which of his co-workers were at home (and called their cell phone numbers) and which were back working at work (and called the facility’s main phone number and knew which internal extension to ask for). It was as if the attackers had an up-to-date call list of his employees, even though there wasn’t one to his knowledge.
I’ve had other IT employees remark about they were amazed how the spear phishing scammers knew exactly who to target in accounting or payroll to send their latest business email compromise (BEC) scam. The victims and their roles within their organization were not particularly well-known outside the company, and yet they were still successfully targeted by the exact type of message that made the request seem more legitimate.
I’ve had friends who showed me SMS-based phishing messages that contained their names and other personal information, so that the person trying to scam them, for sure, had relevant personal information. We all know that not only are attackers stealing and abusing other hackers’ piles of stolen information but that we are…being the social creatures that we are, revealing all sorts of good information on ourselves and our work positions which hackers gladly use to their advantage.
Every data breach stealing someone’s personal information becomes a new potential repository for information that can be used in a targeted phishing attack. Every hospital data breach becomes a new opportunity for hackers to target previous patients. Every website breach becomes another trove of stolen data that can be used by scammers to better target more potential victims. Most business-focused phishing scams lead to a loss of value by the targeted business, many times via business email compromises and ransomware.
Sometimes it can be personally embarrassing. For example, the 2015 Ashley Madison website breach led many previous members of the private service into being extorted. Any information you share can be used against you, many times, by many different groups.
Our information has been out there for a long time. But there is growing evidence that malicious hackers are finally using that information to commit more cybersecurity crimes. Here are two of the recent headlines:
- Ransomware Data Theft Epidemic Fuelling BEC Attacks
- How cybercriminals are weaponizing leaked ransomware data for follow-up attacks
Although the cybersecurity industry is seeing a drastic increase in phishing and social engineering attacks in general, we are also seeing a big increase in very targeted spear phishing, and these types of information thefts, for sure, will increase not only those types of targeted spear phishing attacks but the success of them.
That is why it is crucial that every organization create a personal and organizational culture of healthy skepticism, where everyone is taught how to recognize the signs of a social engineering attack no matter how it arrives (be it email, web, social media, SMS message, or phone call), and no matter who it appears to be sent by. Being suspicious of only emails coming from people we don’t recognize or only from strange, unknown email addresses is not enough.
Scammers are often compromising our trusted business partner’s and friend’s email and social media accounts and looking for and using past communication threads that can be used going forward in a new, highly targeted spear phishing attack. You must teach everyone around you how to spot the signs of a scam message, as summarized by the figure below:
Most scam messages have 3 traits in common. First, they arrive unexpectedly. The user wasn't expecting it to arrive. Second, the sender is asking the user to do something new and unexpected for the first time from that sender. For example, click on a URL link, download a document, log in to a website, get gift cards, send private, confidential information, etc.. Third, and this is definitely a scammy sign, the sender says or writes something that is supposed to stress the user to do that requested action right away. Examples include threats that the user's account will be suspended if they don't take action, that the user will be causing their organization to lose business or to lose a significant discount, or otherwise, something negative will happen if the user does not take action now.
Any message, no matter how it arrives, if it includes these three traits, should be considered suspicious until otherwise proven legitimate, especially if performing the requested action could hurt the person’s or their organization’s interests, if malicious.
Users should be trained on how to recognize the signs of a potential social engineering scam, and how to verify its legitimacy one way or another (e.g., call the requestor directly on a known good phone number or go to the website directly at a known good, legitimate, URL, etc.), and how to treat if it is determined to be a scam.
At home, you'd probably delete it and maybe tell the rest of the family and your friends so they don't become victims. At work, the scam should be reported to the Help Desk, IT, IT Security, or whatever is the appropriate way to report social engineering scams. You want to train people...give them awareness about the common traits of most scam messages, examples of different types of scams, and what to do when they suspect one.
If done well...and most organizations ARE NOT focusing enough on security awareness training, it can prevent social engineering scams whether they are the regular, run-of-the-mill, misspelled variety, or a sophisticated, thoughtful, scam coming from a sender who the receiver might otherwise trust a whole lot. We have to communicate to everyone that they need to have a culture of healthy skepticism. The Internet, email, SMS messages, and phone calls cannot be trusted by default anymore. It's a different world, and the growing trove of stolen personal data are just making it even less trustworthy.
Be appropriately skeptical.