Cybersecurity is a growing concern for many businesses and individuals, and the current statistics related to cybercrime are startling. Consider that in one year, cybercriminals will steal 33 billion records. And in the United States alone, $15 billion is lost every year due to identity theft. These numbers point to the growing trend of increased cybercrime.
And while many individuals have focused on ways to spot and recognize common threats, such as phishing emails and social engineering strategies, cybercriminals continue to evolve in terms of how they attack. One emerging trend relates to using hashtags and other potentially revealing personal and professional information that we willingly put online.
In most cases, the cybercriminal uses a version of an existing type of attack but is able to find greater success by leveraging information that an individual has posted on social media. In many cases, they can do this successfully by using personal social media accounts accessed by work computers to gain credentials to business accounts.
We have seen a huge increase in the number of attacks that use social engineering strategies, starting with information that may be put online across several social media platforms. And as more employees post professional information to gain exposure, the opportunities to exploit this information increase.
- Business email compromise: With this type of attack, the hacker targets employees and does research on them through a variety of social media outlets. Through a social media account, they gain access to a business email. Once they have access, they can begin to understand the organization’s structure, including financial processes. They then wait for the perfect opportunity to direct a financial transaction to a fraudulent account. In some instances, the hacker waits because finding the perfect opportunity can result in a much larger financial loss for the targeted company.
- Gift card fraud:In this type of attack, the hackers use information from a social media account, such as a phone number or email address. They can then imitate a higher-level employee and create a plausible scenario where they need to purchase gift cards. Once the employee scratches the gift cards, the hacker gets them to send the redemption code, resulting in financial losses. With this attack, the hackers generally look for new employees who may be unfamiliar with the company’s policies and procedures and be reluctant to say no to a more senior team member. Because it is effective and many more employees are working remotely, this type of attack has experienced rapid growth, increasing by 820% since COVID.
- Smishing: Smishing attacks are similar to phishing, except that they occur through SMS messaging rather than email. Since phones have fewer security protections, the message has a greater chance of getting through. Generally, the message attempts to get the target to click on a link by referencing a problem with an account or package.
- IRS/account fraud: With this type of attack, the hacker calls and pretends to be the IRS and indicates that they owe money or have an error with their information. Hackers can mine personal data through social media accounts or messages they may have left while reviewing a business. They can use this data to impersonate an individual (relying on personal details to sound believable). In many instances, a company will not ask for verification that the caller is who they claim to be and will provide any information requested or execute any directions provided.
- Deep fake/Zishing: Due to advancements in AI, attackers can create realistic impersonations of others. Once they have believable content or a representation, they can use the individual’s likeness to convince others that they are truly the person being represented. It is often referred to as ‘virtual kidnapping.’ This attack is such a dire threat that the Department of Homeland Security released a bulletin about the increasing threat of deep fake attacks.
As you can see, the future of cybersecurity is terrifying. Anything from professional emails or phone numbers on a business website can be used in conjunction with personal data to design a successful attack. And as technology evolves, hackers may likely create even more convincing attacks using less personal information.
One of the best ways to avoid these attacks is to be vigilant about not using their personal social media accounts on a work computer. Keeping these two separate areas is one of the best ways to prevent hackers from using credential theft to access business accounts. To learn more about protecting your data, contact Sagacent Technologies today!
Sagacent Technologies offers technology management and support, including proactive/preventative maintenance, onsite and offsite data back-ups, network and security audits, mobility solutions, disaster planning, and emergency business resumption services. The company serves clients of 10 to 150 employees within the Silicon Valley region.