Phishing in the Pandemic – How Hackers Exploit the ‘Human Factor’
Dr. Niklas Hellemann from SoSafe GmbH, on the psychology of cyber attacks and security awareness, and the growing sophistication of phishing.
dotmagazine: What impact has the coronavirus had on company security?
Dr. Niklas Hellemann: The Covid-19 pandemic has given a considerable boost to digitalization. The use of video-conferencing tools and remote software has increased rapidly and many employees have been working from home for some time. But in addition to numerous positive aspects of this rapid change, there are also increased risks in the area of IT security.
Cyber criminals have quickly taken advantage of the general chaos and state of insecurity. Security provider Barracuda Networks, for example, identified an increase of over 667% in coronavirus-related phishing attacks between February and March.
The Covid-19 pandemic calls for a change in behavior in almost all areas, including cyber security. Managers and employees alike are confronted with various new challenges. The ‘human factor’ of IT security is becoming more and more relevant for a company to defend against cyber crime.
dot: What exactly is the ‘human factor’ when it comes to cyber attacks?
Dr. Hellemann: It is a widespread misconception that hackers are always highly technical in their cyber attacks. at the contents on a company PC, thus enabling a cyber attack.
The opposite is usually the case – hackers see the employee as the weakest link in the company and want to manipulate them through social engineering, getting them to behave in a certain way. Social engineering has many faces – it ranges from fake phone calls, in which the attacker pretends to be a technician, for example, to the often-quoted ‘USB drop’. This involves a USB stick or key drive with malware being dropped in front of the company building, triggering the curiosity of an employee, who then takes a closer look
© SoSafe GmbH
However, the ‘all-time favorite’ is still up there in first place: the phishing attack. Expressed in figures, 92% of attacks on companies start with a phishing email. According to the German Federal Office for Information Security (BSI), 72% of these emails contain links to phishing sites where information is tapped or malware is downloaded unnoticed. Hackers have the ‘human factor’ in their crosshairs and are firing from all pipes during these infectious times. Google's filters alone send 18 million coronavirus-related phishing emails to the Internet every day.
dot: What types of phishing are there?
Dr. Hellemann: The types of phishing attacks are as numerous as the psychological buttons that can be pushed. But there are certain tactics that stand out and offer hackers a strong chance of success, such as so-called ‘spear phishing’. Here, specific victims in the company are selected and the attacks are tailored to them. The information about the employee – both publicly accessible and private – that is collected for this purpose forms the basis for these dangerous attacks, which can take place via several communication channels. The most prominent example is the so-called ‘CEO scam’, in which employees receive emails supposedly from their superiors requesting them to make payments or transmit sensitive information.
But it can also work the other way around – in the so-called ‘whaling’ process, managers are specifically attacked, as they often have particularly valuable information and far-reaching options for action. Another dangerous trend can also be seen in the area of ‘dynamite phishing’. Here, phishing mails are generated by malware, such as emotet, on the infected computers themselves. As a basis, existing emails stored on the infiltrated computer are used to create deceptively real mails, which are then sent to the address distribution list for explosive further distribution.
dot: How have phishing attacks changed in recent years?
Dr. Hellemann: Phishing attacks have made a major qualitative leap forward in recent years and have outgrown their infancy. Spelling mistakes, incorrect grammar and false salutations have been replaced by deceptively genuine phishing emails, which are much harder to distinguish from legitimate emails in terms of appearance and content. We see a clear trend here in the last three years, away from ‘more is more’ and towards ‘class not mass’. Phishing attackers are also increasingly successful in penetrating technical barriers, on the one hand through technological factors such as polymorphic malicious code, but also through much more targeted emails. As a consequence, employees are increasingly becoming the last line of defense for protecting the company.
dot: What role do your own employees play in the defense against phishing attacks?
Dr. Hellemann: For a long time, the employee was regarded merely as the weakest link in the chain, a security risk. Amazon's CTO Werner Vogels, for example, once described people who fall for phishing emails as ‘idiots’ – a statement which hurts my soul as a psychologist, and which is also dangerous in my opinion!
At SoSafe, we see employees as part of a company's defense, a strong ‘human firewall’ that detects and successfully fends off phishing attacks. Everything stands and falls with employee sensitization for the topic of IT security, what is known as awareness training. In fact, with systematic training, it is possible to increase the employees’ ability to recognize attacks and to behave correctly in the corresponding situation.
dot: Let's look into the future – what will cyber attacks in companies look like in 10 years’ time?
Dr. Hellemann: Over the next few years, we will see that the strong focus on email fraud will gradually decrease and instead be increasingly replaced by other channels. These include internal communication channels such as Teams and Slack. We will see the expansion of new technologies, such as voice bots that realistically imitate real calls from executives or colleagues, and attacks may well even go one step further – deceptively real ‘deep fake’ videos that will or can be made available to a wider audience in order to manipulate employees very successfully. The attacks will become more sophisticated, more targeted, and more complex. This will be made possible by a higher degree of automation, as can already be seen in ‘dynamite phishing’.
With only ‘a few emails' on an infected computer and a relatively simple program, remarkable quality can already be achieved in such attacks. However, the potency of attacks based on the possibilities of Big Data and AI can only be mastered with a modern, holistic and coordinated security concept. More and more, the employee will become the focus of attention for cyber crime – and awareness training will gain massively in importance. Every professional company will have modern awareness training in place, and SoSafe will be at the forefront of the fight against cyber attacks.
Further information on the current phishing threats and modern awareness training can be found at https://sosafe-awareness.com/.
Niklas Hellemann has a degree in psychology, is a long-standing management consultant (Boston Consulting Group) and Managing Director of the company SoSafe Cyber Security Awareness. As an expert in social engineering, he deals with innovative methods of employee sensitization.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.