The Anti-Phishing Working Group (APWG) reports over 963,000 unique phishing sites worldwide were detected in the first quarter of 2024, collectively sending out billions of spam emails a day. Is this number scary? You bet. But it’s the growing sophistication of these social engineering attempts that’s more frightening, yet.
Social engineering, as it is often called, is a particularly well thought out kind of phishing attack. With social engineering, attackers use the target’s relationships, job requirements, or recent online activity to trick their targets into thinking their phishing emails are legitimate. It requires study, stealth, and good production values—which is why it’s often the most successful kinds of hack. The threat is only getting worse. With the the availability of Artificial Intelligence, scammers can set up fake web sites in a flash to take your credit card information, deep fake your top executives, clone your logo and so much more.
Social Engineering: the Art of the Con
Extreme examples of phishing attacks abound. Take, for instance, a recent incident, where scammers used deepfake technology to pose as a multinational company’s chief financial officer (CFO) during a video call. They artfully manipulated the CFO’s appearance and voice, convincing the unsuspecting finance worker to wire $25 million (appromimately 200 milion Hong Kong Dollars) into an offshore account.
Elaborate phishing can be done to gather valuable credentials, too. In January 2022, attackers imitated the US Department of Labor (DoL) in a phishing attack. The emails used official DoL branding and invited recipients to bid on a government project. The phishing site, disguised as the actual DoL site, prompted users to enter their Office 365 credentials. The breach led to numberous cyberattacks.
In a recent analysis by the Harvard Business Review, they said this: “AI tools are rapidly making these emails more advanced, harder to spot, and significantly more dangerous. Research we published earlier this year showed that 60% of participants fell victim to artificial intelligence (AI)-automated phishing, which is comparable to the success rates of non-AI-phishing messages created by human experts. Perhaps even more worryingly, our new research demonstrates that the entire phishing process can be automated using Large Language Models (LLMs—such as Chat GPT), which reduces the costs of phishing attacks by more than 95% while achieving equal or greater success rates.”
With AI in the criminal toolkit, the poor artwork, bad translations, and off putting cultural references that used to be the tell tale signs of a scam may soon be a thing of the past. So what’s a security-minded company to do? A Responsible IT Architecture with good protections will help, but with social engineering, the answer lies in regular cybersecurity education for your employees.
Specifically, Integris warns companies to prepare for these three types of new attacks:
#1: Fake But Realistic Requests
Hackers can research your company well enough to play the role of a new potential customer or an existing vendor in your system. They’ll ask you to download their RFP or enter their new banking information into your system so that they can pay your latest invoice. With a few clicks, your employees could download a worm into your system or open your bank account to thieves.
Common ruses include:
- fake tracking emails from websites you order from regularly
- requests for credentials to “fix” a problem with a program you use
- forged emails or texts from your c-suite or supervisors, asking you to click on a link to review a document
- fake invoices that ask for online payment
How to fix it:
Teach employees to research the person or company before fulfilling the request. That means never automatically clicking on an online purchase order link, or taking any email request for information at face value. Many regular vendors will work through established portals for payment. And, of course, every reputable company has a legitimate website to research—a website which will always be the origin for their confirmation emails.
If your initial search is inconclusive, never take it at face value. Ask questions. Confirm payments with the right parties in your organization, using your company’s own internal channels. A scam will almost become obvious with just a little bit of checking.
#2: Social Media Extortion through Social Engineering
Most people know better than to put their contact information and emails on social media accounts set to “public.” However, many of your employees may have emails and phone numbers available to Facebook or LinkedIn friends. That information is all a hacker needs to set up an account in your employee’s name on damaging websites such as child porn sites. Hackers can use that “proof” to extort employees into giving up their corporate passwords.
How to fix it:
Teach employees to only use in-app messaging on social media sites and never to give out their personal or professional emails to people they’ve only just met online. A process should be in place to help employees who may have been placed in this situation against their will. If they have a reporting channel available to IT without judgement or reprisal, they’ll be more likely to report a hack in process, and accept the company’s help to address it head on in the early stages.
#3: AI-Assisted Spoofing
Are you happy with your CEO’s recent company video? So are hackers. They can use AI technology to sample your CEO’s voice and call up your acoand unts receivable department. “Add this new vendor to the system and transfer this money,” they may say, sounding precisely like your CEO. When employees realize it wasn’t your CEO making that call, the money will be gone without a trace.
How to fix it:
Ask for code words, account numbers, or other forms of two-factor verification. Better yet, pick up the phone and call the person making the request from company channels. There should be a standard protocol for company payment that includes vertification. If the person on the other end of the line is encouraging an employee to circumvent the rules and pay “right now” that’s a red flag. A culture of verification should be the norm, so employees know they’ll never be reprimanded for following the rules.
#4: A Likely Email—Imitating Well-Known Brands
Chances are, your employees like getting emails, texts, and alerts from all their favorite brands. Many of them will get those alerts on their work computers, especially if they’ve made a purchase or a reservation from their work laptop or phone. So it wouldn’t be too uncommon for them to get an email regarding the latest “sale” from Airbnb, or a link to a new article post from a group they’re following on LinkedIn. Worse yet, they might get a spam notification from a scammer impersonating Microsoft, asking for them to re enter their system credentials to “log in” again. Spoofs are rampant.
Here’s the Top Ten Most Imitated Brands According to Google, Q1—2024
- Microsoft (38%)
- Google (11%)
- LinkedIn (11%)
- Apple (5%)
- DHL (5%)
- Amazon (3%)
- Facebook (2%)
- Roblox (2%)
- Wells Fargo (2%)
- Airbnb (1%)
How to Fix It:
The best, first line of defense is not to make personal purchases from your company devices, whenever possible. This will lower the likelihood of bad links being clicked while employees are logged into your systems. Looking at the origin phone number for the text, or the origin website of the email first will also stop this tactic in its tracks.
Social Engineering: Be Smart, Stay Safe
Unfortunately, there is no way to ensure that no employee ever clicks where they shouldn’t. People are busy, tired, and often, too trusting. But an educated workforce will be a far safer one. In addition to your cybersecurity training programs, keep them updated on common hacks and social engineering tactics. Over time, they’ll learn to be more skeptical and how to check and double check their sources.
Would you like to start a cybersecurity education program at your company? Integris can help. Contact us now for a free consultation.
