Recognizing the tactics used by attackers and understanding how they work together can help us avoid them.
THE FLOW OF TODAY’S CYBERTHREATS
Cybercriminals use several tactics to access your personal and business data. Increasingly, they’re layering these tactics so one attack strengthens the next.
Three popular cyberattacks illustrate how these tactics feed into each other.
1. Social engineering in cybersecurity
Among the techniques cybercriminals use to trick individuals is social engineering, which involves deceiving and manipulating people to divulge personal information. Using a variety of tactics, the attackers try to convince you to drop your guard and share personal information by either giving it to them over the phone, filling out a web form, or downloading malware that gives the attacker access to your system.
There are two primary approaches attackers will take.
- Present themselves as a trusted contact, such as a friend, coworker, or company that you do business with. They’ll often gather personal details about their intended victim from social media to help make their outreach more convincing.
- Sharing stories about hot news topics that include links to websites that either inject malware or convince visitors to provide their personal information. For example, as everyone scrambled to get details about COVID-19, criminals created false websites and circulated bogus stories to fill their pipeline with victims.
To deliver these attacks, criminals reach out to victims directly through today’s primary modes of communications: emails, phone calls/voicemails, and SMS text messages – respectively known as phishing, vishing, and smishing. The FBI reported a 182% increase in these attacks from 2019-2021.
2. What are phishing, vishing and smishing?
While criminals can spoof phone numbers to send SMS text messages or call pretending to be someone who is trusted, the most common attacks are phishing emails.
The growth rate of phishing has been stunning: The non-profit Anti-Phishing Working Group (APWG) found the number of phishing attacks doubled from 2020 to 2021.
What is behind this growth? With so many employees working from home – and accessing corporate networks using less-secure home networks and devices – attackers know the weakest link in any company’s defense is the unsuspecting employee.
By fooling one individual, the attackers can potentially:
- Get the victim to share personal identity and financial information, such as banking, 401(k), and medical accounts;
- Convince an individual to provide login credentials to their employer’s network;
- Install malware such as ransomware on the victim’s system.
3. Ransomware: The fastest growing threat
Ransomware prevents users from accessing their files – usually by encrypting data – and then demands the victim pay a ransom to regain access. Increasingly, ransomware attacks also steal sensitive data before encrypting it, and the criminals threaten to make that information public unless payment is made.
Ransomware remains the fastest-growing cybercrime, with FBI's Internet Crime Complaint Center reporting a 62% year-over-year increase in ransomware complaints during the first half of 2021.
Individuals who fall victim to ransomware may lose precious family photos, important legal and tax documents, and any other file kept on their computer. If the attack involves the theft of their identity and financial information, they can also face countless headaches, expenses, and challenges to get them restored.
A ransomware compromise of an individual can also provide access to their employer’s systems – which can result in costly downtime, lost business, and reputational damage for the organization. The employee’s productivity also may be reduced as they deal with recovering from the attack.
That’s why savvy employers often incorporate digital health and identity protection into their employee benefits programs.
DISRUPTING THE FLOW OF CYBERTHREATS
The good news is you can avoid becoming a victim if you know what to look for. These are common clues that you may be looking at a phish email:
- Requests for personal information. Legitimate companies won’t email you asking for your Social Security number, bank account details, or other personally identifiable information (PII). If you want to confirm an offer or alert with the organization, do not reply to the message or use any phone numbers in the email – use the company’s official customer service contact info listed on their website.
- Suspicious email addresses. Most company emails have a self-evident corporate domain. PayPal's email domain is paypal.com, for example, so you know an email from the sender address “firstname.lastname@example.org” is not from PayPal.
- Altered logos and brand images. Companies protect their brands. If an email includes a skewed or out-of-proportion logo, it’s more than likely a scam.
- Misspelled words and poor sentence structure. Companies employ marketing, copywriting, and proofreading professionals, so if an email is littered with misspellings and incomprehensible English, it’s probably a fake.
- Non-English fonts in the text. Spam filters will block specific words. To bypass those filters, attackers will spell words using letters from foreign languages that look similar to English but have small differences that are difficult to notice. Watch out for extra dots or hooks on letters that might look like a dust speck on your screen.
Want to see how adept you are at spotting scams? The American Bankers Association (ABA) has a fun online quiz called Banks Never Ask That that presents six possible phishing scenarios. You then point out if something is suspicious or if the message is legitimate.
You can also take our Identity Theft Quiz to see how effective your current habits are at protecting your digital safety and security.