Social engineering attacks such as phishing are not a new threat, but have become more threatening in light of the widespread remote workforce.
Attackers are targeting individuals who dial into their employer’s network from home because they are an easier target. In addition to traditional phishing attacks against employees, there has also been an increase in whaling attacks that target a company’s senior leadership.
SMS phishing – sometimes referred to as “smishing” – is also gaining traction thanks to the popularity of messaging apps like WhatsApp, Slack, Skype, Signal, WeChat and others. Attackers use these platforms to trick users into downloading malware onto their phones.
Another variant is voice phishing – also called “vishing” – which was made famous by a Twitter hack in 2020. Hackers posing as IT employees called customer service representatives and tricked them into granting access to an important internal tool. Vishing has been used to attack numerous companies, including financial institutions and large corporations.
There is also SIM jacking, in which fraudsters contact a particular customer’s mobile carrier representatives and convince them that their SIM card has been hacked. This makes it necessary to transfer the phone number to another card. If the deception is successful, the cybercriminal gains access to the digital content of the target’s phone.
Companies are stepping up their protection against phishing, but criminals are always looking for new ways to stay ahead. These include sophisticated phishing kits that have different targets depending on the victim’s location.
One of the most important trends in data security is the rise of data protection as a discipline in its own right. Numerous high-profile cyberattacks have resulted in millions of personally identifiable information (PII) being exposed. Coupled with the introduction of stricter data laws around the world, such as the EU’s General Data Protection Regulation (GDPR), this means that data protection is becoming an increasing priority.
Companies that fail to comply with regulations and consumer expectations run the risk of fines, bad publicity and loss of consumer trust. Data privacy affects almost every aspect of a business. As a result, companies are placing more emphasis on hiring data protection officers and ensuring role-based access control, multi-factor authentication, encryption in transit and at rest, network segmentation and external assessments to identify areas for improvement.
Multi-factor authentication (MFA) is considered the gold standard of authentication. However, malicious actors are finding new ways to circumvent it – especially authentication via SMS or phone call. As a result, Microsoft in 2020 advised users to stop using phone-based MFA and instead use app-based authenticators and security keys.
SMS provides some security, but the messages sent – even for authentication – are not encrypted. This means that malicious actors can conduct automated man-in-the-middle attacks to obtain one-time passcodes in clear text. This presents a vulnerability for activities such as online banking, where authentication is often done via SMS. Banks and other organizations will increasingly turn to application-based MFA solutions such as Google Authenticator, Authy and others to address this issue.