The latest methods cyber-criminals are using

The latest methods cyber-criminals are using to make a fool of you
(Image credit: TheDigitalArtist / Pixabay)

April Fool’s Day saw everyone from large global brands to friends and families play jokes on each other. The month may have started on a lighter note, but the ongoing cybersecurity threat to both businesses and individuals is no laughing matter. While organizations spent time admiring the best pranks, cyber-criminals were upping their game even further to identify and target victims through new and innovative methods.

About the author

David Higgins is EMEA Technical Director at CyberArk.

Traditionally, one of their preferred tactics has been phishing. The social engineering technique has been used successfully for years to coax corporate employees – as well as unsuspecting consumers - into handing over sensitive information such as payment details or passwords. The level of sophistication of these attacks has drastically increased however, in the context of COVID-19.

IT management teams need to be prepared for the huge amount of innovation coming from the cybersecurity industry currently. That includes being mindful of emerging tactics, and how they and employees can they protect against them.

Deepfakes as a growing threat

We know the success of a phishing attack relies on credibility. Cyber criminals rely on people believing they are someone else to gain access to networks, whether it’s via a credible-looking email coming from a supposedly legitimate source, or a fake video message spoofing a trusted colleague. This is why deepfakes are raising concerns – anyone can choose to look like someone else, with apparent authenticity.

In fact, the FBI warned earlier this year that malicious threat actors will ‘almost certainly’ be using deepfakes as a tactic to advance their cyber operations over the next twelve to eighteen months. Deepfake technology has the potential to change the phishing landscape completely because it allows threat actors to move beyond text, and take advantage of the deep level of trust that comes with video or verbal communication.

Deepfake videos have already been used successfully to spread disinformation, mostly political in nature, and it’s only a matter of time before this technique is used to achieve other goals. The highly-competitive nature of business means that there’s also a strong possibility that we’ll see a rise in disinformation campaigns intended to discredit rivals, such as that by telecoms group Viettel.

It’s time for IT teams to understand the threat this technology poses to their business and put measures in place to educate about deepfake attacks, as it’s likely they will be targeted using these tactics in the near future.

VoIP ingenuity proving successful

Vishing is yet another example of the ingenuity of cyber criminals and the constant evolution of their tactics, techniques and procedures.

Defined as unsolicited phone calls or voice messages fraudulently made by someone purporting to be a trusted service or colleague, vishing is becoming increasingly common as attackers use voice over internet protocol (VoIP) technology to make these calls over the internet, rather than having to use an original phone line. The volume of such attacks has drastically increased during the pandemic too, with the UK’s National Cyber Security Centre (NCSC) warning of attacks of this kind in its recent advisory report on working from home safety.

We know vishing attacks are already proving successful too, with hackers famously using the tactic last year to target, and successfully control, the Twitter accounts of CEOs, business, celebrities and politicians, including Joe Biden, Jeff Bezos, Apple and Uber.

Voice adaptation technology to fool victims

We already know false representations aren’t limited to just the video format. Yet, above and beyond vishing, many hackers are experimenting with voice adaptation software which allows them to mimic the voices of contacts known to victims when conducting audio-based phishing attacks, such as via phone calls or even via audio files.

This software is opening up the number of attack vectors available to malicious actors and IT teams need to be wary of these new avenues. Social engineering techniques are constantly being developed to lure unsuspecting employees into handing over money, information and credentials, which is hugely worrying considering tools such as voice adaptation technology are becoming accessible to anyone and everyone.

BEC and phishing attacks are still causing havoc

35% of businesses globally experienced spear phishing in 2020, and 65% faced BEC (business email compromise) attacks. These techniques may have been around for a long time, but they’re still the most powerful tool in a cyber criminal’s arsenal and people continue to fall for them.

BEC attacks are among the most damaging online crimes, and the NCSC found they were the main cause of cyber insurance claims in 2019, which isn’t surprising considering how often they successfully target organizations of all sizes. But, why are people still falling for them? The answer is that hackers rely heavily on technology innovation and stolen credentials to make their attacks far more sophisticated that we’re used to seeing. The introduction of greater variety – and novelty – to these attack routes increases their chances of success substantially.

Protecting your business with an ‘assume breach’ mentality

Cybercriminals have the upper hand, with businesses still falling foul to social engineering techniques. It’s time for organizations to take charge of their cyber security strategies and adopt an ‘assume breach’ mentality.

The best way to start a strong, multi-layered approach to cyber defense is by being proactive, not just reactive, in the protection of the sensitive credentials that attackers seek the most. Above all, organizations should prioritize three measures to reduce a cybercriminals’ change of phishing success: AI-based detection tools to identify vishing and deepfake attacks, privileged access management policies to restrict access to sensitive areas of the network, and employee education to ensure they remain vigilant to all possible threats.

David Higgins

EMEA Technical Director, CyberArk.

Read more
Concept art representing cybersecurity principles
Cybercriminals cashing in on holiday sales rush
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Hands typing on a keyboard surrounded by security icons
The psychology of scams: how cybercriminals are exploiting the human brain
Phishing
Corporate executives are being increasingly targeted by AI phishing scams
Hands typing on a keyboard surrounded by security icons
Tackling the threat of deepfakes in the workplace
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does