‘Twas the night before Christmas, when all through the company not a creature was stirring, not even a cybercriminal’.
How I’d love to say the above was true, but 2019 was the year where cybercrime only got worse and it dragged our employees down with it, tricking and manipulating them, to create ever-more complex cyber-threats.
In our goodbye to 2019 post, we will look at what the year has meant for the human in the machine. How social engineering has become the cybercriminal’s favourite method to trick us, ransom us, steal personal data, and cause general all round technology chaos.
Let us enter the 2020s with a look back at when human beings become the cybercriminal’s favourite tool.
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
2019, Social Engineering Comes to Town
Social engineering is a general term to describe any method that involves integrating human behaviour into a cyber-attack. Typical social engineering tricks involve:
- Surveillance – to gather intelligence on victims to make the attack go more smoothly
- Behavioural modification and tricks – manipulating human behaviour to help execute a cyber-attack
- Grooming – some cyber-attacks involve a degree of social grooming and even coercion
Here are a few examples in 2019, that show how social engineering was used:
Ransomware in 2019
Insurer Beazley, saw a 105% increase in ransomware attacks in Q1 2019. Ransomware is a type of malware that encrypts files and documents before making a ransom demand (usually in bitcoin) to decrypt those files. Getting the ransomware onto a computer to begin the attack is where social engineering begins. Phishing emails that either link to a malicious website or contain a ransomware-infected attachment, are often used as the vector to infect a machine. Once infected, the malware can impact the entire network. When the ransom note appears, it exerts a second layer of social engineering. The ransom makes a demand for payment in a given amount of time or you lose the chance to recover the encrypted files.
The cybercriminals behind ransomware, essentially use human beings as a slave to their whims and then force them to pay for the privilege.
In 2019, we also saw increased use of “Ransomware-as-a-Service”, aka pre-packaged ransomware available on the darknet; the money making part is similar to an affiliate model. As cybercrime toolkits become easier to use and continue to make fraudsters money, we should expect that we have not yet seen the back of ransomware.
Phishing in 2019
Phishing, the social engineer’s go to tool, continued unabated in 2019. The SME favourite, Microsoft Office 365 became the phishers favourite too. Phishing emails have been targeting administrator logins to Office 365 during 2019. The reason for targeting the Office platform is to get at all of that juicy corporate data. Some 2019 fraudsters played a less than subtle trick on targets, by offering a view of the company’s salary increase sheet, once logged in. The login page, was, of course, a carefully disguised spoof of the real Microsoft Office 365 login.
Social media was also a focus for the phishing fraudsters in 2019. Vade Secure saw an almost 75% increase in phishing links on social media sites such as Facebook and Instagram.
Financial Scams in 2019
Fraudsters love to use a carefully crafted scam designed to trick us into doing their bidding. Omni-channel scams abounded in 2019. In the first half of 2019, £845 million worth of fraud was stopped by the finance industry. UK Finance stated that:
“Data compromised through social engineering and ‘digital skimming’ attacks have had a significant impact on fraud losses”
Even the old-fashioned cheque is not safe from the grip of the fraudster, with a 172% increase in cheque fraud compared to the first half of 2018.
The Defence Works had enough scam fodder to keep us going all year long in 2019. You can read our weekly Breaking Scam section on the blog for a look back at some of the year’s scams.
Business Email Compromise (BEC) in 2019
2019 was a year that saw Business Email Compromise (BEC) cost business across the globe billions. The FBI keeps a watch on BEC and found a 100% increase in BEC attacks between May 2018 to July 2019. Over the last three years, businesses have lost over $26 billion (around £20 billion).
The cybercriminals behind BEC attacks are also upping their game. 2019 saw the first potential deepfake used to carry out BEC fraud. A British CEO transferred around £200,000 to a fraudster, who is purported to have created a deepfake voice of the parent company boss.
A Happy New Cybercrime Free Year Using Security Awareness Training
Looking back is a good way to evaluate what we can do to make things better going forward. Although the term ‘lessons learned’ can be annoying to hear continually, it is actually a very useful way to make sure you do not repeat old mistakes. A huge number of cybercrimes committed in 2019 had a human element to them. Often involving multi-part manipulation of human behaviour. In 2019, Proofpoint showed evidence of this, when they claimed that 99% of cyber-attacks require human intervention to execute them.
To turn the tables on cybercriminals, we need to educate our staff about the way that fraudsters manipulate them. Using a program of interactive, fun, and effective security awareness training in 2020, will mean your company stays on top of the methods used by cybercriminals. Methods that change but retain a common theme – using your employees to break into your IT network.
In 2020, chose to use security awareness training and beat the cybercriminal at their own game.
Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.