As each year goes by, the electronic defences against cyberattacks get better and better.
The cybercriminals committing the crimes know that, in brainpower terms, they have met their match in the people who come up with the technology to stop them. Any advantage the cybercriminals have will only ever be slight and it’ll only ever be short-lived.
A chain is only as strong as its weakest link. On a personal level, as consumers, we are not particularly aware of threat that cybersecurity poses and that’s a problem. That’s because no matter how advanced the technology behind your internet service provider, your bank, your credit card provider, and the companies you deal with, you’re the weakest link.
Likewise, think about your solicitors’ practice or barristers’ chambers. There might be ten staff there or a thousand. If there are one thousand staff where you work and there are, among you, one hundred who aren’t up to speed about the threat cybersecurity poses to the organisation as a whole, that’s a big problem.
These one hundred people are prime targets for the cybercriminals and they make you, your job, and the whole organisation vulnerable (source: Computer Weekly).
Social engineering is like a hack you use on a video game to get unlimited lives. Video games, just like all computer programs, follow a given set of rules. Those rules allow it to respond to the external stimuli it’s receiving from the person playing the game – button pressing, turning the wheel, pulling the trigger, and so on.
Human beings are different but not as different as you might think. From the minute we get up in the morning until the minute we close our eyes at night and go to sleep, we’re bombarded by external stimuli. It might be the boss, it might be the kids, it might be your significant other – everyone we interact with and the places in which we do it require us to make decisions all the time.
We just don’t have time to consider everything we do during the day in depth. So, over the course of our lives, we develop certain short cuts. These short cuts allow us to make decisions much faster and, most of the time, we make the right choices.
However, in the way we can hack a video game to give us an advantage, cybercriminals, scammers, and con artists can hack the shortened decision-making cycles we use in our daily and professional lives to give them an advantage over us.
It’s called social engineering.
Cybercriminals exploit individual weaknesses or they exploit your less knowledgeable colleagues to steal commercially valuable information. Often, particularly when legal companies are involved, the initial social engineering attack is the start of a much longer and more damaging campaign to infiltrate a network or a system to do much greater damage later in the future.
Social engineering and the research cybercriminals do
There are two major types of cybersecurity attack – the random attack and the planned attack. With random attacks, the chances of success rely a lot more on luck and numbers than any methodical forethought. For planned cybersecurity incidents, the planning is far more premeditated and likely to succeed.
Have you ever received an email from a company, whether or not you do business with them, asking you to log back in because there has been “unusual activity”, “activity consistent with fraud”, and so on? Did they address you by name? Did the language used in it not feel quite right – what you’d expect from that company?
The chances are that millions of other people received pretty much the exact same email. Some people believe that the language used in these emails is because the scammers don’t originate from the country of the people they’re trying to scam.
Others believe differently though. Microsoft researcher Cormac Herley believes that the language used is so poor that it entices the most gullible into believing that they are genuine (source: Telegraph). "A less outlandish wording that did not mention Nigeria would almost certainly gather more total responses and more viable responses, but would yield lower overall profit," Hurley told the paper.
Smishing is the use of the short message service (SMS) to either inform you that:
- there is a problem with your bank account
- a retailer is offering you a special gift or voucher
- a delivery company asking for confirmation of a delivery
- the tax authorities informing you that you are due a refund
- an online platform or mobile phone network requiring you to validate your account (source: Get Safe Online)
The SMS will often contain a link asking you to log in to a well-known website or to call a telephone number. There is normally a high degree of urgency in each message – “do it now”. Beware company text numbers which adopt an unexpected or strange format before taking any action (source: Norton).
You may receive a “request for help” by email, phone call, or text message. You will have to log into the system to authenticate yourself using your personal and financial details. Alternatively, they will want to speak to you on the phone to help you fix a problem with your computer or your device.
You may know the company, you may not know the company. The cybercriminals have no idea who deals with the company or not so they send out as many messages as possible hoping that a sufficient number are so that they can take them through the con (source: Webroot).
“Evil twin” phishing
“Evil twin” Wi-Fi connections are alternative Wi-Fi hotspots set up by cybercriminals. They’re able to see all the traffic going to and from the Wi-Fi point and they’re particularly effective at stealing usernames, passwords, and other sensitive personal and financial information.
The scammers are also able to use their “evil twin” connection points to direct users to legitimate-looking but fake popular websites from which log-in details can be stolen and re-used (source: LifeWire).
Unlike standard phishing, spear phishing is directed at a specific target usually within a business or public sector organisation. The reason these individuals are targeted is that the cybercriminals believe that there is a much greater financial reward for them by obtaining sensitive information about that individual or the client at the firm they work for.
The scammers will generally do a great deal of research on their victims prior to launching an attack, trying to understand what they do, who they work with, who their professional clients are, and personal information about them.
The intelligence they gather on a target is then used against them by sending them an email apparently from a person they trust. The email will ask them to log in to a site which they do not know is fake or it will ask them to download an attachment containing malicious software (malware) (source: Kaspersky).
Whaling is similar to spear phishing but its targets are much higher up the corporate food chain than the average spear phishing victim. Whaling targets the very highest levels of seniority within a business or organisation – senior managers, directors, chairpeople, and C-level executives.
Whaling scams involve more junior members of staff who receive an email from a very senior employee to release sensitive data. According to a major financial publication, more than $12bn has been sent by nearly 79,000 firms since 2013 as a result of whaling attacks (source: Forbes).
CEO fraud is a very targeted combination of both whaling and spear phishing. An email, purportedly from the CEO or managing director, is received by a member of staff urging that an invoice is paid to a supplier as soon as possible. The member of staff does not verify the request with the actual CEO and they make the payment anyway. Of course, the invoice is fraudulent but, because of the time lag in reporting within most larger organisations, it can take months before it’s spotted (source: SC Magazine).
Invoice fraud uses a similar model to CEO except that the party putting pressure on the member of staff is a very persistent and aggressive accounts receivable person from the bogus supplier. Invoice fraud costs American companies US$300m a month (source: Bank Info Security) – the worldwide figure is suspected to be much larger.
Many people and companies still use external media storage to hold important files. Baiting involves a cyberattack leaving something like a USB flash drive for others to find. When they find it and they connect it to a device, the device (and potentially the network) then installs onto itself the pre-loaded malware creating opportunities for later unauthorised breaches (source: Search Security).
Have you ever received the same email twice from someone because they didn’t believe that you responded fast enough or that they may not have received the original message? Clone phishing works in the same way but, when the email is “resent”, links and attachment within the emails either direct the recipient to a rogue website or persuade them to download malware via a seemingly harmless attachment (source: Science Daily).
Many data breaches within companies are deliberate – rogue employees often want to sell valuable company information to competitors or to set up on their own. The recruitment consultancy industry is particularly vulnerable to these types of threats (source: Atlas Cloud).
Pretexting is mainly a type of financial crime where one colleague asks another to transfer money to a fictional supplier. The colleague with responsibility for transferring the money does not check with their manager or director to see if the transaction is legitimate.
Often the money transfers are made to overseas destinations. The time lag between the realisation that something is wrong and the transfer of the money to an overseas jurisdiction means that, often, the rogue payment is not noticed until it’s far too late to retrieve it. When it is noticed, the person who encouraged the transfer has often left the organisation (source: Observe IT).
Within larger organisations, there might be websites that many employees visit either for business or pleasure. Hackers then look for “zero-day” hacks on each website so that they can load malware onto the target’s servers. Employees visiting that website put the wider company at risk of infection (source: Symantec).
Quid pro quo
IT support technicians don’t have the best reputation in the world for helpfulness and outreach – we personally think that’s unfair. However, the quid pro quo phishing scam involves phoning as many people in a company as possible offering to help them with their IT issue. Of course, the vast majority of employees do not have any IT issues but, eventually, they will come across a member of staff with one.
With a quid pro quo attack, the member of staff they have happened upon who has a problem will then be instructed to carry out tasks which threaten the security of the system without the person being helped knowing anything about it (source: Datto).
Many organisations now require their staff, contractors, and visitors to log in with electronic authorisation cards. Tailgating relies on the politeness of the person the cyberscammer is following holding the door open for them so that they can get in (source: TripWire).
Be cyberaware with Sprout IT
Sprout IT provides high quality legal IT support, cloud & consultancy for the legal industry, 24/7 service, 365 days. We have been promoting data security and utilising the best cyber resilience technology and techniques, since we began. We believe in building and testing the most suitable technology products and solutions for each of our clients. That's because building your cyber and reputational resilience is critical in Legal IT.
To speak with one of our team about protection for your solicitors’ practice or barristers’ chambers against the growing threat of targeted cyberattacks, please call Sprout IT today on 020 7036 8530 or email us.