A Timely Warning About Fake Communications and Persuasion Methods
As many of us have experienced, there are people in the world who want to steal from us, our company or employer. In some cases, they want to pretend to be us to damage our reputation or attack another unsuspecting victim. There are hundreds of thousands of individual cases and hundreds of major attacks that have occurred due to innocent, but grave, mistakes made by individuals responding to social engineering.
Social engineering is a commonly used technique that has potentially devastating results. Attackers use methods of persuasion, manipulation, miss-direction and even anxiety or potential embarrassment to get a victim to take some action that is not in their best interest. These actions could be providing a password, sharing sensitive data, re-routing a bank account, or just clicking a link that starts a process of persistent infection on a system; or worse yet, ransomware. It may leverage the action or rights of the individual being attacked, or a vulnerability left exposed due to a lack of patching hygiene.
Some very common but rapidly accelerating methods leverage one form of phishing or another. Phishing can come in many forms, but it is most often done through email, texting or social media. Phishing is most often done by sending communications pretending to be an individual or company that is trustworthy. It could be from a real compromised email, where a company or individual’s email is taken over, or it can be an email that is spoofed (pretending to be legitimate but is not).
We are starting to see stealthier methods. For example, attackers will buy a domain that is spelled very similar to an existing domain (off by one or two letters), that could easily trick even a sophisticated user into thinking it is legitimate. We have seen it all and are watching as the attacks get more and more sophisticated and harder to detect. All of the security and tools in the world cannot stop an individual from making a mistake. Training, awareness and deep skepticism are a must in managing these threats. We have seen cases where millions of dollars were lost or stolen and hundreds of thousands were given to bad guys unwittingly, but voluntarily.
In summary, it is now more critical than ever that every individual and company be extremely skeptical of all communications. We must put methods into place to verify an individual or organization, and any requests being made, before providing any information, transferring funds, changing banking or delivery information, or doing anything that could have a negative impact.
We all must work to verify before acting!
Blog written by Kevin McDonald, COO & CISO – Alvaka Networks
Kevin B. McDonald is the chief operating officer and chief information security officer at Alvaka Networks. Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.