Looking out for cybercriminals’ latest tricks this April Fool’s Day
Wed 31 Mar 2021 | David Higgins
IT teams must prepare employees for a new wave of innovation in the phishing industry, or risk being made a fool of.
Cybercriminals are in the business of foolery and trickery. April Fool’s Day, for them, is another opportunity to launch an attack. This year though, criminal hackers have been developing their tactics to exploit new weaknesses in networks across the world. Businesses have to update their defences to avoid being taken in.
One of the most common tactics cybercriminals use is phishing, and businesses as well as individuals pay a heavy toll when hooked. The well-established method involves luring targets into offering sensitive information such as payment details or passwords by way of social engineering.
Independent criminals and nation states use phishing on a massive scale. In the two months following the launch of its new Suspicious Email Reporting Service last year, the National Cyber Security Centre (NCSC) received over one million reports of suspicious emails – the most common form phishing takes. But criminals are also developing methods to exploit other channels of attack.
More than just a party trick: Deepfakes as a threat
We know the success of a phishing attack relies on credibility. Cyber criminals rely on people believing they are someone else to gain access to networks, whether it’s via a credible-looking email coming from a supposedly legitimate source, or a fake video message spoofing a trusted colleague This is why deepfakes are raising concerns – anyone can choose to look like someone else, with apparent authenticity.
In fact, the FBI warned earlier this year that malicious threat actors will ‘almost certainly’ be using deepfakes as a tactic to advance their cyber operations over the next twelve to eighteen months. Deepfake technology has the potential to change the phishing landscape completely because it allows threat actors to move beyond text, and take advantage of the deep level of trust that comes with video or verbal communication.
Deepfake videos have already been used successfully to spread disinformation, specifically political, and it’s only a matter of time before attackers use it to achieve their goals. As businesses and actors continue their hunt for profit, there’s also a strong possibility that we’ll see a rise in disinformation campaigns intended to discredit rivals, such as that by telecoms group Viettel, to be launched.
It’s time for IT teams to understand the threat this technology poses to their business and put measures in place to stop deepfake attacks, as it’s incredibly likely they will be targeted by those using these tactics in the near future.
VoIP phishing hoax see success
Vishing is yet another example of the ingenuity of cyber criminals, and the constant evolution of their tactics, techniques and procedures.
Defined as unsolicited phone calls or voice messages fraudulently made by someone purporting to be a trusted service or colleague, vishing is becoming increasingly common as attackers use voice over internet protocol (VoIP) technology to make these calls over the internet, rather than having to use an original phone line. The volume of such attacks has drastically increased during the pandemic too, with the UK’s NCSC warning of attacks of this kind in its recent advisory report on working from home safety.
We know vishing attacks are already proving successful too, with hackers famously using the tactic last year to target, and successfully control, the Twitter accounts of CEOs, business, celebrities and politicians, including Joe Biden, Jeff Bezos, Apple and Uber.
Don’t be duped by voice adaptation technology
We already know false representations aren’t limited to just the video format. Yet, above and beyond vishing, many hackers are experimenting with voice adaptation software which allows them to mimic the voices of contacts known to victims when conducting audio-based phishing attacks, such as via phone calls or even via audio files.
This software is opening up the number of attack vectors available to malicious actors and IT teams need to be wary of these new avenues. Social engineering techniques are constantly being developed to lure unsuspecting employees into handing over money, information and credentials, which is hugely worrying considering tools such as voice adaptation technology are becoming accessible to anyone and everyone.
Still up to their old tricks: spear-phishing in 2021
In 2020, 35% of businesses globally experienced spear phishing and 65% faced BEC (business email compromise) attacks. These techniques may have been around for a long time, but they’re still the most powerful tool in a cyber criminal’s arsenal and people continue to fall for them.
BEC attacks are among the most damaging online crimes, and the NCSC found they were the main cause of cyber insurance claims in 2019, which isn’t surprising considering how often they successfully target organisations of all sizes. But, why are people still falling for them? The answer is that hackers rely heavily on technology innovation and stolen credentials to make their attacks far more sophisticated that we’re used to seeing. The introduction of greater variety – and novelty – to these attack routes increases their chances of success substantially.
Adopting an ‘assume breach’ mentality
Being bold and adopting an ‘assume breach’ mentality is the best way to evade cybercriminals’ advanced tricks this year. They must be proactive, not reactive, to protect the sensitive credentials that attackers seek.
Organisations can use three distinct measures to reduce cybercriminals’ chance of success using phishing. First, use AI-based tools accompanied by strict verification procedures to detect vishing and deepfake attacks. Second, improve their privileged access management policies to restrict access to sensitive areas of a network. Third, educate employees about security best practice through mandatory training sessions.
No one wants to suffer the consequences of a serious cyber-attack. But the challenge of identifying advanced phishing threats is increasing. Businesses must respond with urgency to avoid being fooled.