Enterprises and computer users can learn a thing or two from the Israeli Army. During summer 2018, Israeli soldiers scrolling through Facebook thought nothing more of the friend requests they got from unknown yet attractive individuals. The alluring potential partners would then proceed to win the trust of soldiers and military administration after successfully entering the target’s online circle of friends.
However, what appeared to be a common trend in one of the world’s most popular social media hubs was actually an elaborate phishing operation carried out by Hamas, a sworn enemy of Israel. Hamas stole the identities of unsuspecting Facebook users and used spyware apps to hack the soldiers’ smartphones. Once the soldiers downloaded the malware which came in the form of dating apps, Hamas would then extract sensitive information on the troops’ deployment in the region.
Israel Defense Forces (IDF) conducted an investigation as soon as they started receiving complaints from soldiers who received friend requests from strangers and were asked to download suspicious dating apps on Google Play. Following their investigation, the IDF released new guidelines for soldiers to follow if they continued to encounter fake profiles online.
Hamas’s phishing technique is just the tip of the iceberg. These hacks now come in many forms, but they all have the same dark intentions. However, there are also new solutions and tools that will help organizations and individuals protect their personal data.
Online Romance Scams
Early in 2018, a man romanced an American nurse through social media and scammed her for $50,000. Her personal information was also at the mercy of the man, with whom she had exchanged private messages. However, the persona, photos and profile the thief had shared with her were counterfeit. He threatened to release her private details on the internet if she told anyone of the crime.
This is an important point for users of corporate as well as government computer networks: don’t expose private details to anyone who you cannot physically verify.
According to the FBI, online love scams are one of the fastest-growing crimes online. The Bureau cites that In 2016, hackers stole nearly one billion dollars from victims of phishing. Most of the time, these cyber criminals would pose as a man in uniform to appear trustworthy. Gabe Fanelli, whose photo was used to phish the registered nurse and several other women, is just one of several military men whose identity had been stolen and used to scam people.
Online scammers are hard to trace. That’s why the FBI warns Internet users to be cautious of who they meet online and discourages wiring money to people they’ve never met in person.
Enterprise-Focused Phishing
Last year, the world identified new cybersecurity threats and saw numerous data breaches, including the hacks of Verizon and Equifax. This focus on enterprises seems to be the new trend in phishing. According to the latest Phishing Trends and Intelligence report by PhishLab, cybercriminals have now turned away from consumers and on to large enterprises.
The reason behind this change is simple. By stealing from businesses, cybercriminals have more opportunities to cash in on stolen information. Regardless of the tactic or the channels used in the hack, humans remain the most vulnerable to these attacks. Personal information can be stolen in a matter of seconds and can be used against organizations.
Spear Phishing
Spear phishing involves a personalized attack where cybercriminals send their victims emails containing personal information that is readily available online. Placing that information in the email leads the recipient to believe that the sender is someone they know.
The goal of spear phishing is to get the recipients to click a malicious URL or an email attachment, which will then grant hackers access to their victims’ personal and corporate credentials. Spear phishing is arguably the most effective vector against unwary computer users. It involves the simplest of scams.
For example, this type of scam can mimic day-to-day operational activities. One might receive an email that is supposedly from HR, asking them to verify certain information. Unsuspecting staff will confirm and even supplement their response with data critical to the security of the enterprise.
Companies can avoid more spear-phishing attacks by making employees aware of the internal protocols and guidelines for preventing these cyber threats. They can also implement two-factor authentication to eliminate such risks. Better yet, companies can opt to use plug-in security keys, which are a different type of two-factor authentication.
Google, for instance, solved their phishing problem by giving all 85,000 employees USB security keys. The hardware comes with a unique encryption key. If hackers try accessing their device with stolen passwords when they don’t have that encryption key, they are unable to access the information they want.
The tech giant will start selling their plug-in security keys soon, giving companies and individuals the opportunity to reduce the risk of being hooked by a phishing expedition.
Worldwide Cybersecurity Regulations
The emergence of new technologies has made life easier for Internet users, but it has also made them more vulnerable to cyber attacks. Data protection is a real concern worldwide. As of May this year, the European Union’s General Data Protection Regulation (GDPR) finally became enforceable by law, giving EU citizens the protection they need against cybercriminals.
The GDPR requires companies, local or foreign, to protect EU citizens’ personal data. Organizations who fail to do so will face fines of up to four percent of their global turnover of the preceding fiscal year. The EU commission is bound to hold major conglomerates accountable for their violations. Since, as mentioned, there has been a massive increase in enterprise-focused cyberattacks, the world should start seeing more global companies implementing better security solutions and cyber defenses to protect data and eliminate these threats.
Takeaways
Cybercriminals and the information security professionals defending against them are engaged in a perpetual game of one-upmanship. Based on the trends mentioned, it’s unlikely that fraud will be eliminated in 2018. The most effective means to reduce enterprise and personal loss through phishing is user education.
Companies need to train employees in a workshop environment to spot phishing expeditions and how to report them to the IT department. Until technological solutions appear that can call out and block phishing, the first line of cyber defense is people.
Training externally through a qualified resource requires ample research. Should you need advice or assistance, Coranet can connect you to reputable firms to ensure expectations are met and exceeded.
About Coranet
Please contact us at Sales@coranet.com for more information
