As anti-malware software and firewall protections improve, the classic ‘barging in through the front door’ methods that criminals use to breach a network or deliver malware and ransomware, have given way to gaining access to computers and networks through social engineering – that is, fooling the humans. Why waste time trying to knock down the castle gates, when you can trick somebody into giving you the key to the side entrance?
The goal of social engineering – phishing, phone and email impersonation, poisoned emails or websites – is to gain access to somebody’s passwords, credentials and/or identity. Armed with that information, the criminal can either directly steal data or money, or the more sophisticated criminal gang can enter the individual’s network through one machine or identity, and then move laterally through the network.
They may lurk around inside the network for weeks or years, observing emails, passwords, relationships with customers and suppliers, management structure, and confidential data. Once they have gained sufficient intelligence, they can go for the bigger scores, such as intercepting or impersonating emails to divert payments for large transactions to themselves, sending requests as if they were senior management, or compromising the customers’ or suppliers’ networks through the trusted relationship those groups have with the breached company.
Only in the end game might they export as much company data as possible, then run ransomware on the company’s machines, and attempt to extort a ransom.
If you have good firewall and anti-malware protection, how do the attackers get in?
Usually because someone has responded in good faith to an email, or a browser popup or webpage, and been duped into entering their account login information. Or has found a ‘lost’ USB stick on the street outside the office, and plugged it into the computer in curiosity to see what is on it. Or has brought their infected personal device into work and attached it to the company network.
As a new angle, with the rise of AI-driven generative text and images, the bar for impersonation, via email, voice or video, has been raised by an order of magnitude. That video call from your CEO requesting an immediate bank transfer? That could be a AI generated bot.
How do you protect yourself from cyber attack?
Education. Individuals need to be trained to think critically, recognize suspicious online behaviour and risk situations, and to practice the responses that will keep everybody safe.
- not reacting immediately or unthinkingly to a perceived urgency
- never clicking on links in emails or websites without verifying the source and the destination
- verifying unusual requests independently – with another senior person or by a different form of communication
- reporting any suspicious activity to the security or technical team.
And in order to do this, a company has to have best practices, plans and policies in place, and a continuing program of education.
Article on Data breaches in retail operations