{"id":10308,"date":"2020-08-19T12:38:42","date_gmt":"2020-08-19T08:38:42","guid":{"rendered":"https:\/\/techxmedia.com\/?p=10308"},"modified":"2025-04-16T16:01:51","modified_gmt":"2025-04-16T12:01:51","slug":"phishing-in-a-pandemic-how-to-combat-social-engineering-attacks","status":"publish","type":"post","link":"https:\/\/techxmedia.com\/en\/phishing-in-a-pandemic-how-to-combat-social-engineering-attacks\/","title":{"rendered":"Phishing in a pandemic: How to combat social engineering attacks"},"content":{"rendered":"
By Aamir Lakhani, Global Security<\/span> Strategist and Lead Researcher for FortiGuard Labs.<\/h6>\n

Threat intelligence<\/a> teams around the globe have been monitoring a\u00a0significant rise in phishing attacks<\/a> over the last few months. Such attacks coincide with a slight decrease in more traditional attacks, indicating that attackers, like workers, are modifying their efforts in order to accommodate changes due to the pandemic. In fact, our recent Global Threat Landscape Report details this and more.<\/p>\n

More people are now\u00a0working from home<\/a>, and they are connecting back into the office from their home networks, and quite often, using their personal computers. Attackers are looking to target these users\u2019 devices as a way into the corporate network or\u00a0cloud<\/a>. They attempt to lure unsuspecting victims into going to malicious sites, clicking on malicious links, or providing personal information via email or over the phone. They do this by impersonating legitimate organizations<\/a>, such as the Centers for Disease Control and the World Health Organization, and offering fake informational updates, discounted masks and other supplies, and even promises of accelerated access to vaccines. Similar attacks target healthcare workers, political movements, or even the recently unemployed using the same sort of tactics.<\/p>\n

Of course, such tactics are not new. We regularly see spikes in social engineering tactics around major events and catastrophes. Criminals respond to hurricanes and other natural disasters by pretending to be relief organizations, and major sporting events such as the World Cup where they lure victims with promises of discounted tickets or free streaming services.<\/p>\n

\"xl-2019-phishing-inside-image-phishing-techxmedia\"<\/p>\n

Social Engineering Works<\/strong><\/p>\n

The reason that social engineering<\/a> \u2013 an attack strategy that uses psychology to target victims \u2013 is so prevalent, is because it works. According to Verizon\u2019s 2019 Data Breach Investigations Report (DBIR)<\/a>, nearly one-third of all data breaches involved phishing in one way or another. Cybercriminals are opportunistic, and they constantly prey on the only vulnerability that cannot be patched \u2013 humans.<\/p>\n

It is a perpetual bombardment, every minute of the day, 24x7x365. And the odds are in the favor of the attacker, because they only need one unsuspecting person to click on a malicious link or attachment to open up the gates into the corporate network. And the truth is, nobody is immune \u2013 from entry-level employees, contractors, and interns at one end, on up to the C-Suite at the other. Business partners can also be indirect targets, mining them to obtain information to soften up targets. And for those of us now connecting to the office through our home networks, even our children are potential targets. Even seasoned security professionals get caught off-guard, in part because attack tactics have become more sophisticated.<\/p>\n

The goal, of course, is to gain access to our networks and sensitive information, either to steal it, corrupt it, or hold it for ransom. Most often, however, spear phishing is just the tip of the attack, and can easily go unnoticed by a victim who has been compromised.<\/p>\n

Training Alone is Not Enough<\/strong><\/p>\n

Of course, cybersecurity awareness has grown \u2013 up to 95%<\/a> of employees now receive phishing training so they can learn to spot suspicious emails. This is important progress, as most breaches start with a phishing email followed by an unsuspecting employee who opens a malicious file or clicks on a bad link. Despite this training push<\/a>, however, the number of employees that can tell the difference between a legitimate email and a malicious one remains frighteningly low. That\u2019s because cybercriminals are experts at the art of masquerading, manipulating, influencing, and devising lures to trick targets into divulging sensitive data, and\/or giving them access to our networks and\/or facilities.<\/p>\n

There are two challenges at play here: employees are not taking cybersecurity seriously, and cyberattacks are getting even more sophisticated. For example, there are still far too many employees<\/a> who never change their passwords, and two-thirds who still do not use a password management tool. At the same time, years of training people to identify phishing emails, avoid clicking on suspicious links, and follow best practices with their passwords have not panned out the way InfoSec professionals would have liked.<\/p>\n

The thing is, people know they need to use complex passwords, but they still use obvious choices that hackers can easily guess or discover by simply browsing a target\u2019s social media sites, such as their pet\u2019s name, the name or birthday of their child, or the year they graduated from college.<\/p>\n

The problem is not awareness \u2013 it is rooted in human behavior. Safe password practices<\/a> \u2013 using long passwords with non-sensical characters and numbers, for example \u2013 take extra effort to implement. And when it comes right down to it, employees have shown that, for whatever reason, the extra effort is not worth their time and energy.<\/p>\n

Security 101: It\u2019s All About People, Products, and Process<\/strong><\/p>\n

The first step is to help employees feel like they are part of the security team. Helping them understand the repercussions of a security event, and how it can personally affect them, is a good place to start. Seeing connections such as these \u2013 between safe cybersecurity<\/a> practices and the positive impact they feel they are making when everyone is engaged and responsible \u2013 should lead to direct improvements in how people behave when they are confronted with suspicious cyber behavior or questionable email or websites.

Next, give employees the tools they need to succeed. For example, in most organizations there is typically no easy way for employees to manage a multiplicity of complex passwords. If they choose to use a password management program, one which generates and manages complex passwords, it is only because of their own initiative.<\/p>\n

And finally, change the process by taking as much of the risk out of their hands as possible. Organizations need to update\u00a0email security gateways<\/a>with\u00a0sandboxing<\/a>\u00a0and content disarm and reconstruction (CDR) tools to eliminate malicious attachments and links. They need to use\u00a0web application firewalls<\/a>\u00a0to secure access to websites and identify and disable malicious links or embedded code or deploy cloud-based solutions and\u00a0endpoint detection and response<\/a>\u00a0(EDR) tools so users are protected both on- and off-premise. They also need to add proactive\u00a0access controls<\/a>\u00a0to ensure that connections originating from compromised home networks and personal devices can\u2019t be used as a conduit for an attack.<\/p>\n

Final Thoughts on Fulfilling Security Responsibilities<\/strong><\/p>\n

Regardless of the details, the most important key to improving an organization’s risk profile is still getting employees involved, one way or another, in accepting and fulfilling their security responsibilities. With training, the right tools, and effective processes, including support from top-tier company leaders, security teams can help everyone take cybersecurity<\/a> seriously \u2014 and take a serious bite out of cybercrime.<\/p>\n","protected":false},"excerpt":{"rendered":"

More people are now working from home, and they are connecting back into the office from their home networks, and quite often, using their personal computers. Attackers are looking to target these users\u2019 devices as a way into the corporate network or cloud. They attempt to lure unsuspecting victims into going to malicious sites.<\/p>\n","protected":false},"author":8,"featured_media":10310,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[9715],"tags":[1072,990,2886,2884,2020],"contributor":[],"class_list":["post-10308","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-expert-opinion","tag-cloud","tag-phishing","tag-phishing-attacks","tag-social-engineering-attacks","tag-threat-intelligence"],"featured_image_src":"https:\/\/techxmedia.com\/en\/wp-content\/uploads\/2020\/08\/Aamir-Lakhani-Global-Security-Strategist-and-Lead-Researcher-for-FortiGuard-Labs.jpg","author_info":{"display_name":"Rabab","author_link":"https:\/\/techxmedia.com\/en\/author\/rabab\/"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/posts\/10308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/comments?post=10308"}],"version-history":[{"count":0,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/posts\/10308\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/media\/10310"}],"wp:attachment":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/media?parent=10308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/categories?post=10308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/tags?post=10308"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/contributor?post=10308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}