Social Engineering Beyond Phishing, Deepfakes, and Data Harvesting
The second half of the 20th century saw the dawn of the information age. Now, at the beginning of the 21st century, and especially with the proliferation of IoT devices and social media usage, we are seeing the dawn of misinformation. Governments, corporations, news agencies, and independent pundits are all contributors to the misinformation of the general population and target audiences. Goals vary greatly from influencing consumerism, viewership, idealistic beliefs, to swaying political alignments, and more.
Tactics can be multifaceted and include diversion attacks or information misrepresentation, disruption of social and environmental conditions, or even psychological warfare aimed at fueling greater emotions amongst factions in a target society. All of the above has escalated in 2022, particularly, as local political campaigns began to take shape, and the war between Russia and Ukraine broke out in February leading to the tense political landscape and unstable economic situation across the world.
An abundance of readily available and easily sourced information, personal identifiable information (PII) being sold in masses as data exfiltration becomes one of the most profitable motives for threat actors, and data security often compromised for convenience – all created a bountiful field of opportunities to obtain the necessary data, as well as to exploit it for misinformation purposes.
Whether it is businesses waging a war to attract and retain customers or government entities harvesting not only citizens’ personal information, but voice, facial, and other biometric data for various authorized and unauthorized use, data harvesting is becoming more brazen. The greater the context is on the victim, the more targeted a campaign can be, the higher the possibility of successful deception.
Deception Through Misinformation Trends of 2022
Phishing is the leading type of a social hacking attack used to exploit organizations and individuals. It is one of the oldest and most popular cyber-attacks. It makes it very easy for criminals to impersonate real people or companies to spread ransomware or obtain personal information through emails.
Phishing attacks increased by 46% from 2020 to 2021 and the number is projected to grow this year. They are responsible for 90% of the data breaches and costed organizations on average 4.65 million in 2021.
This type of hacking will continue to be a favorite attack among threat actors with the increased adoption of automation and machine learning (AI). It allows attackers to design more sophisticated and believable multi-point campaigns to targets. The use of AI requires less effort to hit more targets among third-party partners, remote workers, and vulnerable groups, such as disaster victims, to gain access to more valuable targets.
Smishing and Vishing
Smishing and vishing are types of phishing attacks which have been increasing over the past couple of years. Cybercriminals use text messaging and voice calls to manipulate victims into giving over sensitive data. The shift to remote work expanded attackers’ opportunities and possible scam scenarios. They impersonate co-workers, IT department members, supervisors, and even organizations. Personal nature of calls or text messages makes the deception easier.
Smishing and vishing will become even more prevalent with the use of audio deepfake technology. Taking the attacks beyond the inbox can be unexpected for employees trained to think about phishing through their company email rather than their personal mobile devices.
The dawn of misinformation is also becoming the dawn of a new, sophisticated, and dangerous impersonation method now used by cybercriminals – deepfake. Deepfakes are images, videos, and voice recordings created using computers and machine learning software to make impersonation seem real. Considering rapidly advancing deepfake technology and increasing reliance on virtual environment in the post-COVID remote work culture, companies must prepare for this type of attacks. A well written phishing email from a C-level account of 2021 can now be a perfectly crafted fake video or voice recording attempting to solicit sensitive information or resources, and it can cost an organization millions of dollars.
State-sponsored hackers and hacker syndicates will also continue to use phishing and deepfakes to create disruption to their political rivals, for profit, and to obtain greater influence for their cause. Deepfakes will increase against political, government, and executive targets for a variety of geopolitical and economical gains. The most rewarding gains can be obtained by bribery, IP theft, and other key disrupting attacks that target government officials and company C-suite officials.
Prevention is the Key
The best way for organizations to plan for and prevent phishing scams is a team approach that cuts across the enterprise. This approach will help to build a robust security response to phishing and deepfakes. The responsibility of cybersecurity awareness spans the entire workforce, meaning training must improve for every employee within the company – those with and without access to sensitive data. This is especially important considering remote work and increased outsourcing worldwide.
What can you do today to bolster your company’s security:
Comprehensive, ongoing audits of IT security systems that address remediation of any areas of weakness.
Meaningful, frequent attack simulation exercises, such as Red Teaming, that includes phishing, to test the effectiveness of an organization’s technology, processes, people, identify gaps, mitigate vulnerabilities, and gather insight to guide future security efforts.
Mandatory staff security awareness training that employs relevant real-life examples on both company and personal devices. Keeping training up to date with the latest attack use cases is effective in achieving the highest levels of prevention possible.
Movement toward a Zero Trust model around phishing and deepfakes. Including Extended Detection and Response (XDR) as part of a coordinated technology response to a threat across access endpoints, networks, communications, and storage.