It would be an understatement to say that 2020 was a year of transformation. Many trends that were already well underway were accelerated by the pandemic and the shift to Work From Home. Sadly, cybercriminals follow the opportunities and look for the low hanging fruit when it comes to finding their next victims, and were savvy enough to quickly shift their attacks on personal vulnerabilities to this new Work From Home paradigm.
This is very significant to the average person, as most people who are victims of a cyberattack usually find themselves on the wrong end of credential theft or ransomware, and both of these types of incidents often start with Phishing and Social Engineering. So let’s go over a few areas where Phishing and Social Engineering have evolved in 2021.
Cybercriminals utilizing phishing in order to scam individuals exploited the COVID-19 pandemic in a major way. In mere moments after countries locked down and started adapting to the reality of the situation, the bad guys were coming up with schemes to exploit people’s fears, vulnerabilities, and even their generosity to steal money, infect devices, and cause other damage.
While COVID-19 scams are still very much around, expect the trend to shift to other current events that capture our attention. With the constant barrage on social media and 24/7 news outlets, it’s natural that we move on to the next big thing as soon as it makes headlines, and criminals will use this against us.
As we move into the next big news story, expect to see phishing scams pop up right away designed to make you to drop your defenses and react before thinking it through. If there’s anything we know from living through 2020, it’s that the narrative can shift at a moments notice. We have to stay vigilant and try to avoid being too reactive when we see an alarming email or text message that could be trying to exploit us.
Phishing as a Service Lowers the Barrier to Entry
There’s a lot of money to be made by getting ransomware payoffs or committing identity theft, but there’s also money to be made in developing cyber-attack tools and distributing them on the Dark Web. Then someone who has a little cryptocurrency can go out, purchase these tools, and begin their own Phishing enterprise with malware already made for them. Just like you might learn how to cook by ordering meal delivery kits from Hello Fresh, cyber-attack toolkits are becoming more readily available online.
This is a pervasive cycle. As phishing attacks continue to pay dividends for criminals, technical security to fight back becomes more sophisticated, leading hackers to make more powerful phishing kits. We should do everything we can to keep up with the technical risks, but there is nothing more powerful to push back against Phishing and Social Engineering than an engaged person who watches out for the potholes created by cybercriminals on the web.
Industrialized and Customized Attacks
While cybercrime is illegal, the individuals who perpetuate this kind of crime operate in many ways like rational businesspeople. Phishing is not only profitable for criminals, but it is also low cost of entry and low risk to perpetrate.
On top of that, many phishing attacks are not random. Spear phishing in particular has the goal of finding a specific, high value target for exploitation. Sometimes, these attackers will do their homework before initiating a full blown attack. They will look for information on their target on social media, or use basic technical tools to gain information about the system they seek to break into so a successful attack can go after your specific vulnerabilities.
This approach is becoming more common, and your best defense against this is being careful about the information you share publicly, having awareness and thoughtfulness about how you use your computing devices, and maintaining a consistent and steady approach to evaluate and identify areas of risk to cut off those avenues for cybercriminals.
While industrialized attacks look to target you or your organization specifically, your team’s goal should be to make your target as small as possible by having strong cyber hygiene practices in place.
Thoughtfulness is the key to safe computing in a world where we must deal with threats both on our technology as well as the people behind the technology. Just because we make serious investments in tools like spam filters, data backups, anti-malware software, and much more, we can’t expect these solutions to be foolproof. Think of it like driving. Wearing a seat belt dramatically reduces your risks, but we still obey the rules of the road and remain aware of what surrounds us to avoid an accident in the first place. Cybersecurity requires the same kind of mindset.
Thanks again for tuning in. What threats are you looking out for in 2021? We would love to hear more in the comments. Until next time, stay vigilant my friends.