The Who, How, and Why of Cyber Crime
Today, some of the most heinous cyberattacks originate in the digital space but are committed in the ‘real world.’ We’ve all heard of high-level kidnappings and senior executives and CEO extortion.
How do these criminals know of your senior leaders’ addresses, movements, friendships, etc.? By tapping into your systems and extracting personal information stored on your databases, reading emails, and, in many cases, by direct contact.
When your IT infrastructure is vulnerable, so too are your employees. But high-level executives are not the usual targets. Despite these being the most newsworthy cases, others of your employees are most at risk of being targeted.
Cyberattacks: Shifting from Systems to People
Cybercriminals are becoming more likely to target your people than your systems. While cyber threats such as ransomware still present a risk that must be combatted, other threats such as phishing are taking center stage. There are two ways in which cybercriminals begin the process of attacking your people:
- Gaining access to your people’s personal information through your systems
- Gaining access to your people’s personal information through research of your people
In the first method, your systems are hacked, and information is stolen by cybercriminals. This information may be sold or used by the criminals themselves.
In the second method, cybercriminals conduct extensive research into your employees, usually online. We call this OSINT which stands for Open Source INTelligence, and it’s where they use publicly available information, i.e., social media such as LinkedIn and Facebook can be very revealing, helping to build up a picture of individuals.
In both cases, the information collected can be used to gain the trust of your people or to expose them to the risk of fraud, extortion, or kidnapping. These cybercriminal strategies can also be ‘mixed and matched.
Which of Your Employees Are Most at Risk?
Cybercriminals are spreading their nets in a very targeted search. They are being deliberate about who they are targeting, whether from the information they steal from your systems or the information they can discover online – often as a combination strategy. They find out your people’s position in your company and then learn more about them online to deliberately focus their efforts.
The most attacked people in your organization currently fall into two categories:
- Those with access to employee and company information – your HR department
- Those with access to bank accounts and responsibility for moving money – such as Accounts
Access to both these groups give cybercriminals opportunities to exploit their positions.
Social Engineering: How Cyber Criminals Can Attack Targeted Individuals
We are often seeing cybercriminals use social engineering as a primary tactic to target individuals. This is described as:
“The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
This tactic relies on creating trust, which then allows the criminal to deceive and manipulate an action that they want to happen. Often this is by phishing or baiting. The criminal may email or even phone an identified target, using information they have discovered either by hacking or online on social media accounts to gain the target’s trust. Then they ask them to divulge information or even make a transfer of money.
Here are a few ways in which your employees may be caught out:
- For example, a criminal may impersonate a member of the IT support team – known as pretexting. They will speak to the target, tell them they need to adjust their settings – perhaps because of a ‘new software release’ – and take over remote control of their desktop. And the criminal is into your most secure business data.
- Similarly, using personal information adds legitimacy to an email phishing attack. A similar tactic is used in Whaling – where a senior employee or anyone with access to valuable company information is targeted.
- The Watering Hole attack targets not individuals but groups of employees by discovering which is their most visited website (the watering hole) and then placing malware on that website. This redirects targets to a new website, where the criminal can engage in the activity they wish to perform.
Cybercriminals may use the trust they garner to deceive targets into resetting passwords, divulging sensitive information, sharing personal information, making monetary payments, or even sharing entire databases.
Stop Your People and Business Being Attacked by Cyber Criminals
Some simple cybersecurity rules can help you protect your employees and your business.
The first is by upgrading your systems and processes. For example, implement multifactor authentication for anyone with access to personal data, company data, HR records, and financial accounts. This makes it more difficult for hackers to gain access to this information.
Put a secure email gateway in place to prevent phishing emails. This will block malicious emails from being delivered to you.
On the human side, invest in security awareness training. Ensure employees know how to spot potential criminal attacks and what to do when attacked – being especially vigilant about social engineering attacks.
In addition, train your people in the responsible use of social media. Tell them to avoid divulging information such as their location, job role, email addresses, phone numbers, etc.
Where do you start?
Contact Tiro Security today to learn how security assessments and testing can help you identify your risks and the issues that can compromise your people and business. You may be surprised to know what our penetration testing discovers.