Author Archives: TecAdmin

With attackers knowing financial fraud-based phishing attacks are best suited for the one industry where the money is, this massive spike in attacks should both surprise you and not surprise you at all.

When you want tires, where do you go? Right – to the tire store. Shoes? Yup – shoe store. The most money you can scam from a single attack? That’s right – the financial services industry, at least according to cybersecurity vendor Armorblox’s 2023 Email Security Threat Report.

According to the report, the financial services industry as a target has increased by 72% over 2022, and was the single largest target of financial fraud attacks, representing 49% of all such attacks. When breaking down the specific types of financial fraud, it doesn’t get any better for the financial industry:

• 51% of invoice fraud attacks targeted the financial services industry
• 42% of payroll fraud attacks
• 63% of payment fraud

To make matters worse, nearly one-quarter (22%) of financial fraud attacks successfully bypassed native email security controls, according to Armorblox. That means 1 in 5 email-based attacks made it all the way to the Inbox. The next layer in your defense should be a user that’s properly educated using Security Awareness Training to easily identify financial fraud and other phishing-based threats, stopping them before they do actual damage.

The latest Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG) shows an unrelenting upward trend in the number of phishing attacks per quarter.

Despite the alarm that the growth in the number of phishing attacks should generate, this report sheds some light on what seems to be working for cybercriminals if you dig a little deeper. According to the report:

• The number of unique email subjects increased by 99.2%, totaling over 250,000 in Q4
• The number of brands impersonated decreased slightly by 4% to 1780
• The number of unique phishing websites increased slightly by 6% to just over 1.3 million

In essence, it appears that more unique campaigns is the answer – after all, there are only so many brands that have a broad appeal. It is interesting to see that the number of phishing websites is not increasing with the unique email subjects, although the “unique” email subjects may simply be variations on a theme aimed at using the same phishing website to capture credentials, banking details, etc.

The scarier part of this report is that 150% continual growth.

Source: APWG

This growth is a mix of new threat actors getting into the game, improvements in the “as a service” of just about every facet of cyber attacks, and the fact that successful attacks are also increasing in numbers.

As cyber attacks continue to grow in sophistication, frequency, cyber insurers are expecting their market to double in the next two years.

I’ve spent a lot of time here on this blog educating you on attack specifics, industry trends, and the impacts felt by attacks. I’ve also talked quite a bit about cyber insurance and the trends therein. But seldom have we been able to  combine the two and present the state of cyber attacks from an insurer’s perspective.

Cyber Insurer Munich Re recently released their Cyber insurance: Risks and Trends 2023 report which provides us with some insight into the state of attacks and the impact on cyber insurance. According to the report:

• Cyber crime costs in 2022 are estimated at $8.4 trillion
• They are expected to be approximately $11 trillion in 2023
• They are expected to rise to $24 trillion by 2027

According to Munich Re, “ransomware was, by far, the leading cause of cyber insurance losses”, making it primarily responsible for the projected massive growth in cyber insurance – which is estimated to have been a market size of $11.9 billion in 2022 and projected to reach $33.3 billion by 2027.

There’s a 3x growth estimated in cyber crime costs over the next 4 years and a 3x growth in the cyber insurance market in the same timeframe. This means that organizations should expect both a rise in the frequency of attacks in the coming years, as well as an increase in the cost of cyber insurance. Rises in insurance costs should be a clear indicator that spending budget on prevention methods (that include security awareness training) is far better than putting all your eggs in the cyber insurance basket.

New data shows a resurgence in successful ransomware attacks with organizations in specific industries, countries and revenue bands being the target.

While every organization should always operate under the premise that they may be a ransomware target on any given day, it’s always good to see industry trends to paint a picture of where cybercriminals are currently focusing their efforts. This gives organizations the ability to either shore up security measures today (if they’re a current target) or shore up security measures today anyways (so they’re ready for when they do become the target).

In third-party risk vendor Black Kite’s 2023 Ransomware Threat Landscape Report, we see some interesting trends around successful ransomware attacks today:

• March of this year saw 410 ransomware victim organizations – nearly double that of April of last year, with only 208
• The U.S. dominated as the primary focus, with 1171 victim organizations representing 43% of the total victims reported, with the UK, Germany, France, Italy, and Spain combined making up around 20% of victim orgs
• The largest group of victim organizations by revenue resided in the $50-60m range, with the next two groupings in the $40-50 million and $60-70 million ranges, respectively
• Manufacturing topped the list of industries, with “Professional, Scientific, and Technical Services” coming in second, representing nearly 35% of all victim organizations

Source: Black Kite

In summary, it appears like cybercriminals are focused on mid-market, U.S.-based organizations that likely have a material amount of intellectual property and/or sensitive data.

This, of course, doesn’t mean if you’re not in that specific demographic you’re off the hook; nothing could be further from the truth. The Black Kite data shows where the focus is today. But there’s always a new player looking for a niche victim demographic they can nestle themselves into, making it necessary to shore up all security – including your user’s vigilance against phishing and social engineering attacks via Security Awareness Training.

The U.S. government created a new office to block disinformation. The new Foreign Malign Influence Center (FMIC) oversees efforts that span U.S. military, law enforcement, intelligence, and diplomatic agencies.

The FMIC was established on September 23 of last year after Congress approved funding, and is situated within the Office of the Director of National Intelligence. The FMIC has the unique authority to marshal support from all elements of the U.S. intelligence community to monitor and combat foreign influence efforts such as disinformation campaigns.

The growing threat of social engineering by foreign adversaries has become a significant concern. By leveraging digital platforms, hostile actors can manipulate public opinion, foment discord, and undermine democratic institutions. To address this pressing issue, the newly established Foreign Malign Influence Center aims to counter social engineering efforts by foreign bad actors, working to protect our society from this insidious form of cyber warfare.

One of the key aspects of the Center’s strategy is fostering partnerships with like-minded institutions. By building a strong collective defense against social engineering, the organization can ensure that a diverse range of expertise and perspectives contribute to the fight against foreign influence.

Done right, the FMIC has the potential to be a valuable ally in the fight against social engineering by foreign bad actors. However, its success will depend on its ability to work collaboratively with partners, operate within legal and ethical boundaries, and stay focused on the genuine threats to our democratic institutions.

A survey by Tanium has found that IT security professionals in the UK say that 64% of avoidable cyber attacks are due to human error, which usually involves falling for phishing attacks. More than half of the respondents said that loss of productivity would be their main concern following a cyber attack.

“The largest number of survey respondents (56 percent) speculate that ‘loss of productivity’ would have the biggest post-breach impact, followed by ‘loss of clients and/or revenue’ (52 percent),” the researchers say. “However, it’s worth noting that these two answers have a mutual association – downtime. Following two years of pandemic disruption, organisations are naturally sensitive to anything that interferes with business as usual.”

The survey also found that the majority of respondents believe that spending money on security defenses is cheaper than sustaining a cyberattack.

“Forward-thinking organisations will already be acting to pay down the technical debt of their legacy systems,” the researchers write. “85% of security pros in our survey admit that ‘it costs more to recover from a cybersecurity incident than to prevent one.’”

Tanium concludes that organizations should invest in a defense-in-depth strategy that includes employee training.

“These statistics highlight that there is ample scope for cyber teams to make improvements in many areas that are under their influence and control,” the researchers write. “As an illustration, almost half of the organisations surveyed (43 percent) said they intend to invest more in ‘employee awareness training.’ This prevention-first approach is one way to reduce vulnerabilities that are often caused by human error or lack of education on cyber matters.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize and thwart social engineering attacks.

CIO has the story.

The Russian-based hacking group Seaborgium is at it again with increased spear phishing attacks targeting US and European countries in the last year.

Last month, I previously wrote about Seaborgium launching a phishing campaign with targets in the UK. Now these threat actors have taken one step further with fake personas, social media accounts, and academic papers to lure their victims into replying to their phishing emails. They have also widened their net to multiple regions across the globe with a new focus on the US and additional regions within Europe. Each successful attack means the threat actor is able to refine their fake profiles to be more convincing and lure future victims.

Journalists are also becoming a target for multiple Russian hacking groups. Since journalists hold sensitive information, it could serve as high value to execute cyber espionage for the Russian state-sponsored groups.

While spear phishing campaigns continue to increase in sophistication, the root cause stems from social engineering. Whether it was specific language in the email or a convincing fake profile, threat actors are refining commonly used social engineering tactics to ensure your users fall victim to their attack.

Thankfully, there are ways to identify if your organization is being targeted. We have several tips for preventing a spear phishing attack from targeting your users:

• First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. The trick is to make it as hard as possible for the attacker to get through and to not rely on any single security measure to keep your organization safe.
• Do not have a list of all email addresses of all employees on your website, use a web form instead.
• Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your user’s username and password on a crime or porn site.
• Never send out sensitive personal information via email. Be wary if you get an email asking you for this info and when in doubt, go directly to the source.
• Enlighten your users about the dangers of oversharing their personal information on social media sites. The more cybercriminals know, the more convincing they can be when crafting spear phishing emails.
• Users are your last line of defense! They need to be trained using new-school security awareness training and receive frequent simulated phishing emails to keep them on their toes with security top of mind. We provide the world’s largest content library of security awareness training combined with best in class pre- and post simulated phishing testing. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!