Does defeating cybercriminals mean we need to try thinking like they do?
The kind of people who commit cybercrime aren’t CEO material. They aren’t even necessarily the I.T. whiz or hacker type; cybercrime doesn’t require a serious technical skill set. The crooks behind online fraud attacks are using technology, certainly, but they are consumers, not experts.
Cybercriminals are opportunistic and improvisational in their approach. Like guerrilla fighters, they aren’t going to mount a frontal assault against your company’s defences; they’ll look for backdoors and exploits that can get them inside the walls.
Digital letter bombs
The vast majority of cybercrime attacks - around 90% - are instigated through email and that’s because email is a simple, inexpensive way to mount a sneak attack.
Scam emails are the letter-bombs of the digital era. It’s no accident that email is the cybercriminal’s weapon-of-choice; email allows them to get their payloads inside your company’s perimeter where they can be deployed against the people who work there.
The weapon might be a phishing attack, seeking to harvest login credentials or a malware payload, installing damaging code on your computers. Either way, the attack will be aimed at a regular person sitting at a desk who will have no idea they are under attack until it’s too late.
How do cyber-attacks work?
Chris is an accountant in a large logistics and transport company.
Tuesday morning an email arrives in Chris’s work inbox, with the subject line: “your account: important notification.”
The email sender field says “account administrator.”
Chris opens the message;
“Attention: there’s some unusual activity on your email account. Please verify your user settings immediately to prevent your account being suspended for security reasons. Click on the link below to log-in and verify your email account...”
At the bottom of the message is a link button. Chris clicks on the link and it opens a browser window showing a login page with Microsoft trademarks, asking for an email address and password. The page accepts Chris’s login details and shows him a page with the message: “thank you for verifying your account - your email will now continue to work normally.”
Chris gets back to work and thinks nothing more about the email.
Meanwhile, cybercriminals now have Chris’s email login credentials, giving them access to the company’s computer system and cloud file storage.
The email Chris received was, of course, a scam and the login page that accepted Chris’s details was a phishing site.
Scams like this are cheap and easy for criminals to execute and they continue to be effective because the average person can’t tell the difference between a genuine email notification and a fake.
Thinking like scammers
BEC - Business Email Compromise - is a fast-growing problem. Every day, criminals are sending out millions of scam messages like the one described in the example above.
MailGuard detects and intercepts new BEC attacks constantly and although the mechanisms of the attacks vary, the common characteristic is that they are relying on people’s trusting nature and lack of cybercrime awareness to succeed.
Learning to combat cybercrime effectively requires a thinking adjustment for a lot of businesspeople. It’s not only about having state-of-the-art antivirus or rigorous password policies - although those are both important - it’s also a matter of understanding the way criminals operate.
According to research by CSO, corporate cybersecurity budgets are now running in the tens-of-millions of dollars, and yet the number of attacks and the resulting losses continue to escalate.
Cybercriminals are going after individual employees inside an organisation; planting traps in their inboxes and hoping to take advantage of them to get inside the system.
The gravity of the cybersecurity issue isn’t yet fully registering with senior management - CSOs stat’s show that 61% of company boards still view cybersecurity as the sole responsibility of IT departments. But to initiate company-wide education about security requires action at the executive level as well.
Realising that cybercriminals attack companies by attacking people means we have to address security at the individual level. We need to put effective protection in place to screen out dangerous email before it gets in front of team members, and we need to educate every person in the office to be skeptical about what they click on.
If you’d like to have a better understanding of the way cybercriminals work, please take a look at some of my other articles explaining different attack types in detail.
In a typical BEC attack, criminals create phishing emails brandjacking trusted trademarks. When the scam messages show up in victim’s inboxes they feel safe opening them, because they look like legitimate emails from familiar companies. In this article, I dissect BEC attacks using the trademarks of Westpac Bank, Netflix and Telstra.
This article takes a close look at some examples of phishing emails trying to mislead victims into giving up their email passwords by impersonating a OneDrive notification and a Microsoft login page. Read it, here.
There’s never been a better time to take on the challenge of breach-proofing your company. The old saying goes ‘prevention is better than a cure’ and that’s certainly the case with cybersecurity.
If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.”
- Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
I’d really value your input and comments so please join the conversation.