With so many businesses especially those in the service sector having enabled the vast majority of their staff to operate remotely from their office space the tension between operational effectiveness and the interdiction of the risks posed by cybercriminals has never been more marked. The shift in the risk profile is not down to any revolutionary change of technique or IT wizardry but more the flaws in the protection brought about by human error.
A well-organised business will have in place various layers of protection, increasingly using AI, designed to identify and stop phishing emails, emails containing malevolent downloads or links; however, by themselves they are not going to rule out the risk that a determined attacker will penetrate the defences. Of course, a large number of attacks operate on the basis of targeting as many recipients in an organisation as possible, hoping opportunistically to succeed: playing the percentages. The tell-tale signs of poor use of English in emails being a giveaway have been replaced by attacks targeting particular recipients using hijacked accounts that give the appearance of being genuine. CEOs and members of Finance departments are often the particular target – the instruction from the CEO to make a money transfer to the fraudsters account or from the CFO to the CEO to authorise a financial transaction – we may think that we are sufficiently savvy to spot what seem like fairly obvious impersonation attacks but increased use by the criminals of techniques of internal business email compromise impersonation has led to many instances of theft of money and likewise theft of personal data. It is the level of sophistication of this type of phishing that has increased, designed to fool the recipient. The criminal may even engage with the target over a series of emails, designed to build up the trust and confidence of the recipient of the veracity of the situation and the action sought by the criminal.
It is a ‘gimme’ for most businesses that the value of the data they hold about their staff, about their customers, about their suppliers will have a massive value to a cybercriminal. Access to that data opens up for the cybercriminal huge opportunities for criminal activity, whether it be the onward ‘sale’ of the data on the so-called Dark Web or to enable further targeting of individuals. So, for example, as well as internal ‘lateral’ phishing some criminals are using the data obtained to perpetrate attacks elsewhere in the supply chain, network or ecosystem in which the business operates. For the employee sitting at home maybe using their own device or (more likely) multiple devices the watchword is vigilance but the reality of working from home is that there is reduced immediacy of support even down to the sharing of the issue: the “what do you think of this email I have just received?”; it’s very easy for the guard to drop.
So, IT departments need to be at the top of their game and reinforce regularly the watchwords of vigilance and disclosure; there is nothing wrong in having suspicions and airing them, indeed, that is a positive. And that same high level of vigilance is needed as regards personal inboxes as the COVID-19 pandemic has spawned a whole raft of phishing and malware attacks on individuals whether phoney emails from HMRC or other official-looking missives designed to steal data and enable cyber criminals to commit their crimes against individuals as well as businesses. Indeed in these increasingly lonely times there is bound to be a marked increase in the number of “romance scammers” using dating websites in order to seduce their victims into parting with cash: we will no doubt soon hear of COVID-19 related financial “emergencies” for which the scammers urgently need a loan of cash, accompanied by suitable sob stories.
STOP PRESS Cognizant, a Fortune 500 IT services company operating globally and which is very strong in the financial services and healthcare sectors, announced on Saturday (18 April 2020) that it had been subjected to a Maze ransomware attack. Maze malware not only encrypts data but then copies data which the cyber criminals then threaten to leak online and/or sell. Cognizant says it is working with leading cyber defence experts to “contain the incident” but naturally there will be concern about the data compromised as well as the spread of the infection to their customers. They also say they are “engaged with the appropriate law enforcement authorities” and with their customers to whom they have provided “Indicators of Compromise (IOCs) and other technical information of a defensive nature.”