The second half of the 20th century saw the dawn of the information age. Now, at the beginning of the 21st century, and especially with the proliferation of IoT devices and social media usage, we are seeing the dawn of misinformation. Governments, corporations, news agencies, and independent pundits are all contributors to the misinformation of the general population and target audiences. Goals vary greatly from influencing consumerism, viewership, idealistic beliefs, to swaying political alignments, and more.
Tactics can be multifaceted and include diversion attacks or information misrepresentation, disruption of social and environmental conditions, or even psychological warfare aimed at fueling greater emotions amongst factions in a target society. All of the above has escalated in 2022, particularly, as local political campaigns began to take shape, and the war between Russia and Ukraine broke out in February leading to the tense political landscape and unstable economic situation across the world.
An abundance of readily available and easily sourced information, personal identifiable information (PII) being sold in masses as data exfiltration becomes one of the most profitable motives for threat actors, and data security often compromised for convenience – all created a bountiful field of opportunities to obtain the necessary data, as well as to exploit it for misinformation purposes.
Whether it is businesses waging a war to attract and retain customers or government entities harvesting not only citizens’ personal information, but voice, facial, and other biometric data for various authorized and unauthorized use, data harvesting is becoming more brazen. The greater the context is on the victim, the more targeted a campaign can be, the higher the possibility of successful deception.
Phishing is the leading type of a social hacking attack used to exploit organizations and individuals. It is one of the oldest and most popular cyber-attacks. It makes it very easy for criminals to impersonate real people or companies to spread ransomware or obtain personal information through emails.
Phishing attacks increased by 46% from 2020 to 2021 and the number is projected to grow this year. They are responsible for 90% of the data breaches and costed organizations on average 4.65 million in 2021.
This type of hacking will continue to be a favorite attack among threat actors with the increased adoption of automation and machine learning (AI). It allows attackers to design more sophisticated and believable multi-point campaigns to targets. The use of AI requires less effort to hit more targets among third-party partners, remote workers, and vulnerable groups, such as disaster victims, to gain access to more valuable targets.
Smishing and vishing are types of phishing attacks which have been increasing over the past couple of years. Cybercriminals use text messaging and voice calls to manipulate victims into giving over sensitive data. The shift to remote work expanded attackers’ opportunities and possible scam scenarios. They impersonate co-workers, IT department members, supervisors, and even organizations. Personal nature of calls or text messages makes the deception easier.
Smishing and vishing will become even more prevalent with the use of audio deepfake technology. Taking the attacks beyond the inbox can be unexpected for employees trained to think about phishing through their company email rather than their personal mobile devices.
The dawn of misinformation is also becoming the dawn of a new, sophisticated, and dangerous impersonation method now used by cybercriminals – deepfake. Deepfakes are images, videos, and voice recordings created using computers and machine learning software to make impersonation seem real. Considering rapidly advancing deepfake technology and increasing reliance on virtual environment in the post-COVID remote work culture, companies must prepare for this type of attacks. A well written phishing email from a C-level account of 2021 can now be a perfectly crafted fake video or voice recording attempting to solicit sensitive information or resources, and it can cost an organization millions of dollars.
State-sponsored hackers and hacker syndicates will also continue to use phishing and deepfakes to create disruption to their political rivals, for profit, and to obtain greater influence for their cause. Deepfakes will increase against political, government, and executive targets for a variety of geopolitical and economical gains. The most rewarding gains can be obtained by bribery, IP theft, and other key disrupting attacks that target government officials and company C-suite officials.
The best way for organizations to plan for and prevent phishing scams is a team approach that cuts across the enterprise. This approach will help to build a robust security response to phishing and deepfakes. The responsibility of cybersecurity awareness spans the entire workforce, meaning training must improve for every employee within the company – those with and without access to sensitive data. This is especially important considering remote work and increased outsourcing worldwide.
If you need assistance now or have any questions, contact us.