Newly Discovered Phishing Attacks Target Bank Customers

First National Bank has warned of an increase in phishing and smishing attacks, IT-Online reports.

Trish Ramdhani, head of fraud at FNB Card, stated, “In recent cases, some consumers received SMSes claiming that their bank requires them to urgently FICA by clicking on a link that takes them to the fraudster’s platform, where their information is then compromised. The technique now includes attempting to entice the user to divulge both their card information and the one-time password (OTP), which is subsequently used to complete successful transactions using smart devices.”

FNB offers the following recommendations to help people avoid falling for these scams:

  • “Don’t panic: Fraudsters rely on people acting hastily due to a sense of panic. The tactics include threats that your accounts will be blocked or that fraud has been identified and must be stopped immediately. Whatever the scenario, keep in mind that such things will never compel you to give away OTPs, PINs, or passwords. It is safer to end such communication and contact your financial institution right away.
  • “Do not click on email or SMS links: When opening emails from unknown sources or those that appear suspicious, proceed with caution. Clicking on links or downloading attachments from these kinds of messages should be avoided because they may include harmful malware or redirect you to fake websites.
  • “Enable two-factor authentication (2FA): Enable 2FA wherever possible since it adds an extra layer of security by requiring a second verification step, which is often transmitted to your mobile device or an authenticator app, such as the FNB Apps for FNB customers.
  • “Take note of the card and digital safety measures recommended by your financial institution: There is a lot of misleading information about how people may protect themselves from fraud, but it is always preferable to follow your financial institution’s recommendations on how to secure your money.
  • “Keep software and devices up to date: Update your operating system, web browsers, and antivirus software on a regular basis to guard against vulnerabilities. To ensure that you get the most recent security fixes, enable automatic updates whenever possible.”

Spear Phishing Trends in 2023

50% of organizations surveyed were victims of spear phishing attacks in the last twelve months, according to a new report from Barracuda. The report also found that, on average, organizations receive five “highly personalized spear phishing emails per day.”

“In an analysis of 50 billion emails across 3.5 million mailboxes, Barracuda researchers uncovered nearly 30,000,000 spear phishing emails,” the report states. “While these emails make up less than 0.1% of all emails sent, they greatly impact organizations when attacks are successful. (For comparison, high-volume attacks, such as spam and malware, make up about 16% of emails, but their impact is not as high.) The average cost of a data breach caused by business email compromise was nearly $5 million in 2022, according to IBM. And no business is immune.”

The researchers found that while spear phishing makes up a very small percentage of email attacks, it’s responsible for a majority of successful breaches.

“Three-quarters of respondents surveyed said they fell victim to an email attack in the last 12 months. Half said they were the victims of spear phishing,” the report says. “That means 2 out of 3 successful email attacks are spear phishing attacks that use personalized messages, social engineering, and other tactics. This is significant because these attacks make up only 0.1% of all email-based attacks according to Barracuda’s data but are responsible for 66% of all breaches. On the other hand, high-volume attacks such as spam and malware, make up 16% of emails but are only responsible for one-third of breaches. Spear phishing protection is critical because even just one successful attack can be devastating.”

Almost all the organizations that fell victim to spear phishing suffered adverse effects.

“Nearly every victim of a spear phishing attack in the last 12 months saw impacts on their organization, including malware infections, stolen data, and reputational damage,” the researchers write. “While a direct monetary loss is one of the effects, all the other impacts could also result in some financial damage for an organization as a result of an attack.”

New-school security awareness training can enable your employees to thwart targeted social engineering attacks.


[Mastering Minds] China’s Cognitive Warfare Ambitions Are Social Engineering At Scale

As the world continues to evolve, so does the nature of warfare. China’s People’s Liberation Army (PLA) is increasingly focused on “Cognitive Warfare,” a term referring to artificial intelligence (AI)-enabled military systems and operational concepts. The PLA’s exploration into this new domain of warfare could potentially change the dynamics of global conflict.

The PLA’s interest in “cognitive warfare” is particularly intriguing. Cognitive warfare refers to operations that leverage techniques and technologies such as AI to influence the minds of adversaries, shape their decisions, and create a strategically favorable environment. This approach could potentially allow China to achieve victory without resorting to conventional weapons. We’re talking social engineering at potential massive scale.

The PLA’s exploration into cognitive warfare is part of China’s broader commitment to AI and other cutting-edge technologies, as emphasized by President Xi Jinping. China aims to become the world’s leading AI power by 2030, and it is integrating AI into three common areas: information processing, unmanned weapons, and decision-making.

However, China is taking it a step further by exploring the use of AI in cognitive warfare. This involves influencing the thinking of decision-makers, military commanders, and the general public in rival countries. For instance, Beijing could use social media and other means to spread disinformation, manipulate public opinion, and discredit U.S. efforts to support Taiwan.

To achieve this, China would need to develop the necessary cyber, psychological, and social engineering capabilities. It would also need to amass a great deal of detailed personal information. There are concerns that China has already collected a massive amount of data on government officials and ordinary U.S. citizens, which could be used to influence perceptions.

The PLA is also focusing on using AI to influence the state of mind of its own troops. They are working on wearable technology and a “psychological support system” to better prepare soldiers for real combat situations. This includes smart sensor bracelets that can record facial information and judge psychological states in real time.

Whether or not China’s “AI-driven warfare” succeeds, it is crucial to pay attention to social engineering at massive scale, as it has become increasingly feasible thanks to recent breakneck advances.



Financial Fraud Phishing Attacks Increase 72% In One Year; Financial Industry Takes the Brunt

With attackers knowing financial fraud-based phishing attacks are best suited for the one industry where the money is, this massive spike in attacks should both surprise you and not surprise you at all.

When you want tires, where do you go? Right – to the tire store. Shoes? Yup – shoe store. The most money you can scam from a single attack? That’s right – the financial services industry, at least according to cybersecurity vendor Armorblox’s 2023 Email Security Threat Report.

According to the report, the financial services industry as a target has increased by 72% over 2022, and was the single largest target of financial fraud attacks, representing 49% of all such attacks. When breaking down the specific types of financial fraud, it doesn’t get any better for the financial industry:

  • 51% of invoice fraud attacks targeted the financial services industry
  • 42% of payroll fraud attacks
  • 63% of payment fraud

To make matters worse, nearly one-quarter (22%) of financial fraud attacks successfully bypassed native email security controls, according to Armorblox. That means 1 in 5 email-based attacks made it all the way to the Inbox. The next layer in your defense should be a user that’s properly educated using Security Awareness Training to easily identify financial fraud and other phishing-based threats, stopping them before they do actual damage.


The Number of Phishing Attacks Continues to Grow at a Rate of 150% Per Year

The latest Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG) shows an unrelenting upward trend in the number of phishing attacks per quarter.

Despite the alarm that the growth in the number of phishing attacks should generate, this report sheds some light on what seems to be working for cybercriminals if you dig a little deeper. According to the report:

  • The number of unique email subjects increased by 99.2%, totaling over 250,000 in Q4
  • The number of brands impersonated decreased slightly by 4% to 1780
  • The number of unique phishing websites increased slightly by 6% to just over 1.3 million

In essence, it appears that more unique campaigns is the answer – after all, there are only so many brands that have a broad appeal. It is interesting to see that the number of phishing websites is not increasing with the unique email subjects, although the “unique” email subjects may simply be variations on a theme aimed at using the same phishing website to capture credentials, banking details, etc.

The scarier part of this report is that 150% continual growth.

4-19-23 Image

Source: APWG

This growth is a mix of new threat actors getting into the game, improvements in the “as a service” of just about every facet of cyber attacks, and the fact that successful attacks are also increasing in numbers.


Cyber Insurance Demand Grows as Cybercrime is Expected to Rise to $24 Trillion by 2027

As cyber attacks continue to grow in sophistication, frequency, cyber insurers are expecting their market to double in the next two years.

I’ve spent a lot of time here on this blog educating you on attack specifics, industry trends, and the impacts felt by attacks. I’ve also talked quite a bit about cyber insurance and the trends therein. But seldom have we been able to  combine the two and present the state of cyber attacks from an insurer’s perspective.

Cyber Insurer Munich Re recently released their Cyber insurance: Risks and Trends 2023 report which provides us with some insight into the state of attacks and the impact on cyber insurance. According to the report:

  • Cyber crime costs in 2022 are estimated at $8.4 trillion
  • They are expected to be approximately $11 trillion in 2023
  • They are expected to rise to $24 trillion by 2027

According to Munich Re, “ransomware was, by far, the leading cause of cyber insurance losses”, making it primarily responsible for the projected massive growth in cyber insurance – which is estimated to have been a market size of $11.9 billion in 2022 and projected to reach $33.3 billion by 2027.

There’s a 3x growth estimated in cyber crime costs over the next 4 years and a 3x growth in the cyber insurance market in the same timeframe. This means that organizations should expect both a rise in the frequency of attacks in the coming years, as well as an increase in the cost of cyber insurance. Rises in insurance costs should be a clear indicator that spending budget on prevention methods (that include security awareness training) is far better than putting all your eggs in the cyber insurance basket.


Number of Ransomware Victim Organizations Nearly Doubles in March

New data shows a resurgence in successful ransomware attacks with organizations in specific industries, countries and revenue bands being the target.

While every organization should always operate under the premise that they may be a ransomware target on any given day, it’s always good to see industry trends to paint a picture of where cybercriminals are currently focusing their efforts. This gives organizations the ability to either shore up security measures today (if they’re a current target) or shore up security measures today anyways (so they’re ready for when they do become the target).

In third-party risk vendor Black Kite’s 2023 Ransomware Threat Landscape Report, we see some interesting trends around successful ransomware attacks today:

  • March of this year saw 410 ransomware victim organizations – nearly double that of April of last year, with only 208
  • The U.S. dominated as the primary focus, with 1171 victim organizations representing 43% of the total victims reported, with the UK, Germany, France, Italy, and Spain combined making up around 20% of victim orgs
  • The largest group of victim organizations by revenue resided in the $50-60m range, with the next two groupings in the $40-50 million and $60-70 million ranges, respectively
  • Manufacturing topped the list of industries, with “Professional, Scientific, and Technical Services” coming in second, representing nearly 35% of all victim organizations

4-7-23 Image








Source: Black Kite

In summary, it appears like cybercriminals are focused on mid-market, U.S.-based organizations that likely have a material amount of intellectual property and/or sensitive data.

This, of course, doesn’t mean if you’re not in that specific demographic you’re off the hook; nothing could be further from the truth. The Black Kite data shows where the focus is today. But there’s always a new player looking for a niche victim demographic they can nestle themselves into, making it necessary to shore up all security – including your user’s vigilance against phishing and social engineering attacks via Security Awareness Training.


Blocking Social Engineering by Foreign Bad Actors: The Role of the New Foreign Malign Influence Center

The U.S. government created a new office to block disinformation. The new Foreign Malign Influence Center (FMIC) oversees efforts that span U.S. military, law enforcement, intelligence, and diplomatic agencies.

The FMIC was established on September 23 of last year after Congress approved funding, and is situated within the Office of the Director of National Intelligence. The FMIC has the unique authority to marshal support from all elements of the U.S. intelligence community to monitor and combat foreign influence efforts such as disinformation campaigns.

The growing threat of social engineering by foreign adversaries has become a significant concern. By leveraging digital platforms, hostile actors can manipulate public opinion, foment discord, and undermine democratic institutions. To address this pressing issue, the newly established Foreign Malign Influence Center aims to counter social engineering efforts by foreign bad actors, working to protect our society from this insidious form of cyber warfare.

One of the key aspects of the Center’s strategy is fostering partnerships with like-minded institutions. By building a strong collective defense against social engineering, the organization can ensure that a diverse range of expertise and perspectives contribute to the fight against foreign influence.

Done right, the FMIC has the potential to be a valuable ally in the fight against social engineering by foreign bad actors. However, its success will depend on its ability to work collaboratively with partners, operate within legal and ethical boundaries, and stay focused on the genuine threats to our democratic institutions.


New Survey Reveals Employees are the Attack Surface

A survey by Tanium has found that IT security professionals in the UK say that 64% of avoidable cyber attacks are due to human error, which usually involves falling for phishing attacks. More than half of the respondents said that loss of productivity would be their main concern following a cyber attack.

“The largest number of survey respondents (56 percent) speculate that ‘loss of productivity’ would have the biggest post-breach impact, followed by ‘loss of clients and/or revenue’ (52 percent),” the researchers say. “However, it’s worth noting that these two answers have a mutual association – downtime. Following two years of pandemic disruption, organisations are naturally sensitive to anything that interferes with business as usual.”

The survey also found that the majority of respondents believe that spending money on security defenses is cheaper than sustaining a cyberattack.

“Forward-thinking organisations will already be acting to pay down the technical debt of their legacy systems,” the researchers write. “85% of security pros in our survey admit that ‘it costs more to recover from a cybersecurity incident than to prevent one.’”

Tanium concludes that organizations should invest in a defense-in-depth strategy that includes employee training.

“These statistics highlight that there is ample scope for cyber teams to make improvements in many areas that are under their influence and control,” the researchers write. “As an illustration, almost half of the organisations surveyed (43 percent) said they intend to invest more in ‘employee awareness training.’ This prevention-first approach is one way to reduce vulnerabilities that are often caused by human error or lack of education on cyber matters.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize and thwart social engineering attacks.

CIO has the story.


[HEADS UP] Russian Hacker Group Launches New Spear Phishing Campaign with Targets in US and Europe

The Russian-based hacking group Seaborgium is at it again with increased spear phishing attacks targeting US and European countries in the last year.

Last month, I previously wrote about Seaborgium launching a phishing campaign with targets in the UK. Now these threat actors have taken one step further with fake personas, social media accounts, and academic papers to lure their victims into replying to their phishing emails. They have also widened their net to multiple regions across the globe with a new focus on the US and additional regions within Europe. Each successful attack means the threat actor is able to refine their fake profiles to be more convincing and lure future victims.

Journalists are also becoming a target for multiple Russian hacking groups. Since journalists hold sensitive information, it could serve as high value to execute cyber espionage for the Russian state-sponsored groups.

While spear phishing campaigns continue to increase in sophistication, the root cause stems from social engineering. Whether it was specific language in the email or a convincing fake profile, threat actors are refining commonly used social engineering tactics to ensure your users fall victim to their attack.

Thankfully, there are ways to identify if your organization is being targeted. We have several tips for preventing a spear phishing attack from targeting your users:

  • First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. The trick is to make it as hard as possible for the attacker to get through and to not rely on any single security measure to keep your organization safe.
  • Do not have a list of all email addresses of all employees on your website, use a web form instead.
  • Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your user’s username and password on a crime or porn site.
  • Never send out sensitive personal information via email. Be wary if you get an email asking you for this info and when in doubt, go directly to the source.
  • Enlighten your users about the dangers of oversharing their personal information on social media sites. The more cybercriminals know, the more convincing they can be when crafting spear phishing emails.
  • Users are your last line of defense! They need to be trained using new-school security awareness training and receive frequent simulated phishing emails to keep them on their toes with security top of mind. We provide the world’s largest content library of security awareness training combined with best in class pre- and post simulated phishing testing. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!