Running Headfirst Into a Breach

The pandemic changed the fortunes of many organisations. Perhaps none so much as Zoom, which has found itself becoming a noun synonymous with any form of video call.

However, its meteoric rise has not been without some hiccups along the way. There have been many cases of people not securing their meetings, leading to many cases of ‘zoombombing’ in which unauthorised people join video calls with the intention of sharing lewd, obscene or otherwise distasteful content. 

There was also the case of investors wanting to jump on the Zoom bandwagon who inadvertently purchased stock of Zoom Technologies, a small Chinese company which had nothing to do with Zoom, the video chat platform. 

Errors and mistakes aside, criminals have also been quick to notice the trend and have been quick to capitalise by registering thousands of fake domains designed to impersonate Zoom and other video conference brands. They have also been using them to send out phishing links.

With the majority of office employees working remotely, receiving Zoom invites or even seeing reminders in their calendar for upcoming Zoom meetings has become a daily occurrence. 

It is not just phishing via email that has taken off. People working from home usually have several communication channels they use to interact with colleagues, customers, partners and friends. These encompass everything from messaging apps to social media and everything in between. 

Pulling on Emotions

Criminals are very good at crafting messages in a way that pulls on people's emotions. This can be fear, greed, curiosity, urgency, helpfulness or any other emotion. One of the biggest reasons for this can be understood by Daniel Kahneman who stated in his book, “Thinking, Fast and Slow” that there are essentially two types of thinking the human brain undertakes. 

System one is referred to as fast thinking and largely works automatically and effortlessly via shortcuts, impulses and intuition. It is fast, but also error prone. System two is also known as slow thinking. It takes time to analyse, reason, solve complex problems and requires people to exercise self-control. It is slow, but reliable. 

A good criminal pulls on emotions because it is a surefire way to get people into system one thinking, where they will carry out an action before thinking about it. 

Think about it. When was the last time you received a scam or phishing attack and the sender was polite and ended with, “please respond whenever is convenient, there’s no rush”?

It’s why an inflammatory Tweet or Facebook post receives so much attention and so many responses, even though we often know we should just ignore it. It just presses our emotional buttons and we need to say something. 

So, it becomes difficult to reign people in -- even the most security conscious people can be fooled by a WhatsApp message which pops up saying, “Why aren’t you in the meeting? We’re all waiting for you. Click here to join.” 

Not a Theoretical Risk

The security industry has been guilty in the past of over-hyping issues. But social engineering threats are very real. If we look at the growth of ransomware over the years, it has become a huge criminal cash cow. 

Most ransomware these days is delivered via phishing across multiple channels, hitting organisations across all industry verticals and of all sizes. Nearly a year ago, Travelex was hit by ransomware which resulted in the business being down for several weeks before they recovered. Unfortunately, its woes didn’t end there. With the pandemic hitting and many countries going into lockdown, the organisation didn’t get a chance to recover and went into administration later in the year. 

Down under in Australia, the CEO of a hedge fund was tricked into clicking on a phishing email disguised as a Zoom invite. The click gave criminals access to the CEO’s email, which allowed them to send emails posing as the CEO authorising payments amounting to nearly $8m. And while the hedge fund was able to recover most of the money, the reputational damage was so severe that its main fund pulled out, forcing the hedge fund to shut down. 

The fact of the matter is that social engineering attacks are only increasing and becoming the main thrust of cybercrime, which are having far greater impact on victim organisations. 

Ways You Can Stay Safe

Staying safe against these attacks is increasingly difficult, not just from the increased sophistication of attacks, but the sheer volume of attack avenues that are available to criminals, ranging from email inboxes, social media accounts, chat apps, sms and phone calls. 

1. Security Awareness Training

   Security awareness training should be raised to all users from the most junior all the way to the most senior executives. The variety and impact of these attacks should be explained and mechanisms provided so that users can quickly and easily report any suspicious activity for the security team to investigate. 

2. Gain Visibility

   Security teams need to be able to obtain visibility into all of their organisation’s communication channels. For most organisations, too many channels are kept in the dark, so often by the time a breach is detected, it is too late. 

3. Real-Time Threat Detection

   All critical accounts, including marketing and executives, need to be monitored continuously for suspicious activity and messaging. In addition to scanning all files, attachments and links for malware, non-technical social engineering threats should also be sought out. 

4. Incident Response

   A layered response approach needs to be put in place so that any threats detected can be removed immediately.