Cybercriminals have made a packet out of us in 2019, and it is looking like 2020 will bring more of the same, perhaps with new, improved cyber-attack methods? Like all businesses, those who are most agile and innovative end up with a competitive edge. With the advent of the ‘cybercrime-as-a-service offerings of the darknet, even cybercriminals will be feeling the pinch of competition. This certainly seems to be the case, as evidenced by the massive number of scams experienced throughout 2019. Every cybercriminal and their dog had a go at fraud last year. 2019 recorded a bumper scam year, with bank transfer scams up by 40% according to UK Finance and phishing emails remaining the number one cause of a data breach.
With this in mind, what does The Defence Works predict expect companies to have to deal with this year, both good and bad?
AI as an extension of the cybercriminal mind
Over the last few years the phrase, Artificial Intelligence (AI), has been buzzing around like an angry bee. Most analysts are now predicting that 2020 will see AI finally start to rear its head in cybersecurity, both for good and evil. There are a lot of cybersecurity companies who are using AI (or subsets like Machine Learning) to augment security tools to make them smarter. However, what is good for the gander…cybercriminals have also embraced the intelligent machine. We have already seen the potential, at least, for the use of AI-enabled deepfakes. Earlier this year, a British CEO was tricked into transferring around £200,000; the call he received to initiate the transfer was a fake voice made to sound like the head of his parent company.
One other area that experts are predicting that will be improved using AI, is spear phishing. This is a highly targeted form of phishing, often resulting in the theft of privileged access credentials and some of the world’s largest data breaches. AI is expected to be used to up the ante in terms of spear phishing automation; allowing cybercriminals to target many thousands using spear phishing by gathering data from social media posts, etc. to tailor the phishing emails to the target.
A Business Email Compromise (BEC) too far?
One area in 2019 that has really taken off is Business Email Compromise (BEC). This has led to losses of $26 billion(around £20 billion) by businesses across the world. A juicy and lucrative crime like BEC will no doubt run on and on. The use of deepfakes, as in the example above, will no doubt see increasing levels of BEC fraud during 2020. As smaller organisations tend to have fewer resources to build protection against cybercrime, it is likely that BEC fraudsters will focus on specific areas that SMBs work in. To counter BEC fraud, companies have to focus on more operational type defences, including security awareness, and processes such as double checks when certain payments are made.
– Engage your staff with scenario-based security awareness training or “In-the-Moment” training
Protective huddles living it large
Cybercrime, like any other crime, is about the human element. Where cybercrime seems to diverge, is that it often adds a layer of technology to execute the crime…or so it seems. However, the truth is, cybercrime is all about getting us mere mortals to do the fraudsters bidding. Click a malicious link, download a malware infected attachment, forget to install a security patch, login to a spoof website. Security tools are needed, of course. Technology is part of the problem, but the human element in all of this must not be forgotten. In recent years, this truth has come home to roost with acceptance that security awareness training is a key part of a security policy for all organisations of all sizes.
The ‘protective huddle’ formed by having a security aware culture in a company will have enormous benefits as 2020 brings new threats to circumvent out technological defences.
Hooking and unhooking the phisher
Phishing has taken over hacking as the way into a corporate treasure chest or even a personal online account, simply because it’s easy. With Phishing-as-a-Service rental options for cybercriminals it has never been easier. These tools, that come as cheaply as $50 to $80 (£38-£61) per month to rent, give the opportunists amongst the cybercrime community the tools to join the game. This rental model is not new in cybercrime, but it is increasingly successful. The developers behind the ‘as-a-service’ offering are good at what they do, very good. They are now ensuring that the phishing toolkits are also able to evade technological nets, like spam filters. All-in-all, these rental options will end up making phishing not only more prevalent, but potentially more successful, as the phishing emails get through our technological defences. Again, security awareness training can plug the gap that technology opens.
A Security Aware 2020
People are calling the new decade the “roaring 20s” let’s hope this is a positive roar rather than the scream of yet another IT department as they discover a data breach. The world is a complicated place and cybercriminals are making it even more so. People often use the metaphor of the wild west to describe cybercrime; however, it seems that cybercriminals are maturing and creating a tech version of organised crime from the1920s suitable for the 2020s.
In many of the cybercrimes committed against a business in 2019, the human being took a central role, often manipulated by a fraudster. Being aware of the type of tricks played on us to extract data and money can only help to minimise the risk of phishing, BEC, and other human-focused cybercrimes.