May 2023 Newsletter - If you’d like to read this newsletter at the same time as our subscribers, please sign up here.
Sophisticated New Cyber Attacks Have Begun: What You Must Know
The one constant in cyber security is that criminals continually change their tactics. This month’s newsletter includes a look at two very new types of attacks and the risks they pose to your systems, data and potentially your online presence.
SEO Poisoning is a new type of phishing attack that criminals developed in response to one of the top rules in cyber security: Never click on links in emails or text messages. Because that advice is working, criminals are now building spoof websites and using search engine optimization tactics to get them to the top of search results. I have also seen documented cases where criminals buy search ads to try and bring people to their scam sites.
Criminals still send fake emails and texts with bogus links, but now they expect that people will not click on them. The victim does a quick search, clicks on the first link they see, and winds up at the same scam website, where criminals are waiting to harvest login credentials or distribute malware. The end result is the same.
Does this mean that search results and search ads cannot be trusted? In some cases, yes. Fortunately, the same employee training techniques that thwart phishing attacks can be used to stop these attacks. You must train employees to be vigilant and suspicious, then show them how to identify potential threats.
The risk of malware or a breach is bad enough, but SEO Poisoning also harms the reputation of businesses whose pages or sites are compromised by criminals carrying out these attacks. You do not want to be delisted from search engines, and you do not want your customers to be fearful of visiting your site or clicking your ads. This requires an added level of vigilance on your part, which I discuss in this month’s top story, SEO Poisoning: Train Employees, Watch Your Search Results.
Personalized Phishing Sets a New and Disturbing Bar
The Washington Post details one of the most disturbing phishing attacks ever reported. A sales director from an Indian technology firm received a phone call displaying the company founder’s picture. Answering the phone, the sales director heard the founder’s voice, but the call almost immediately dropped.
This was followed by a WhatsApp text, again allegedly from the founder, who claimed he was having cellular service issues. He asked the sales director for help moving a large sum of money to a new bank.
The scam unraveled when the sales director asked his manager for assistance, and the manager started asking questions. Investigators later discovered that criminals had used clips of the founder’s public appearances to create a deepfake version of his voice to launch the attack and build trust with the employee. Were it not for the manager’s suspicions, the attack may have been successful.
We have previously reported on the risks of sharing too much company information online, as well as the reasons employees ignore cyber security policies. Data from 2022 found an increase in cyber attack success when criminals phoned a target to ask for help. If the voice coming out of the phone sounds like the boss, employees may react without question.
The highly sophisticated attack reported by The Washington Post was designed for a high-dollar heist. That may not be a concern for smaller businesses or those who lack access to significant databases of information that criminals want, but it does show that capabilities are evolving. History shows that these sophisticated attacks become commonplace as hackers share information, techniques and tools, making it a matter of time before widespread attacks utilizing AI-generated phony supervisors become more common.
Stat of the Month
The growth in lawsuits filed after businesses notified customers of a security breach from 2018 to 2022, according to SecurityWeek. In their review of the 9th Annual BakerHostetler Data Security Incident Response Report, Security Week noted that there were just 4 lawsuits filed in 2018, compared with 42 in 2022. The total number of 2018 lawsuits matched the 2022 total for lawsuits filed following breaches where fewer than 1,000 people were notified.
New state data privacy regulations are contributing to this trend, along with pushback from insurance companies over claims. The added costs of legal defense make an investment in cyber security employee training even more valuable as a defensive measure for businesses.
Free 30-Minute Seminar on May 25
When You Can’t Trust Anything, How Can You Prevent Attacks?
Cyber criminals are upping their game with search ads, organic search listings and personalized communications to drive employees to sites that steal logins and download malware. The methods of these attacks may be new, but the scams themselves are old and easy to spot, if your employees know to trust their instincts.
I invite you to join me for a free, 30-minute seminar at 3PM EDST on Thursday, May 25. “Increase the Effectiveness of Security Awareness Training by Making It Personal” will show you how I unlock the most powerful tool everyone has to stop cyber attacks: their own innate suspicion. By training employees to ask questions and follow their gut instincts, any cyber attack, no matter how sophisticated or personalized, can be stopped.
If your current employee training has failed to stop phishing attacks, or if you are concerned about SEO Poisoning, AI and deepfake attacks, you do not want to miss this presentation.
Sign up here.
Your Battery Could Be Warning You of a Cyber Attack
Here’s a very simple technique anyone can use to detect a potential hack: Watch your battery life.
Most of us pay little attention to how frequently we charge laptops, smartphones and other wireless devices. We also expect battery life to decline as our devices age, or if we are spending more time than usual on a device while traveling.
These factors can all contribute to shorter battery life, but so can malware. If your battery seems to be draining faster than usual, it could be a sign that a malicious program is running in the background, or that your device is continually communicating data.
Any sudden or unusual changes in battery life or the responsiveness of a device warrant investigation. Turn the device on and off to see if a reboot improves performance. Check the data monitoring function on your phone or laptop to see if there have been any unusual increases in data transmission. If you find something you do not recognize, or if the device continues its odd behavior, have it professionally scanned to look for malware.
Speaker Topics Now Available
Do you need a speaker for an upcoming conference, trade show or company event? Visit our Cyber Security Speaker page and download our Speaker Topics PDF, offering a list of current topics from Protect Now Head Trainer, Robert Siciliano. Robert’s entertaining, engaging presentations get audiences excited about cyber security and teach simple methods to keep data and devices safe from hackers.
No phishing or malware attack, no matter how advanced, can succeed unless an individual takes an action. Stopping those actions must be the focus of training. If you cultivate employees and business practices that reinforce good cyber habits, hacking attempts will fail.
You can create an unhackable workforce. It begins with teaching employees to ask the right questions. Why is eBay reaching out to me about an order? Why would my bank threaten to shut down my account? Why would my boss give gift cards to a client? Vigilance begins with assessing situations and approaching them with a reasonable level of suspicion.
Phishing attacks have become more sophisticated because training has made it harder for criminals to trick people. That’s a win for cyber security, but it comes with the challenge of new tactics, and employee training must be brought up to date in response.
Stay safe out there,
Robert & the Protect Now Team