BLOG

Organizations in the US lost $2.4 billion to business email compromise (BEC) scams (also known as CEO fraud) last year, according to Alan Suderman at Fortune.

“BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases they shouldn’t,” Suderman writes. “Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.”

Suderman cites a case from San Francisco, where a nonprofit lost more than half a million dollars to one of these scams.

“In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000,” Suderman says.

BEC actors also collaborate and share information with each other to improve their attacks.

“Unlike ransomware operators who try to keep their communications private, BEC scammers often openly exchange services, share tips or show off their wealth on social media platforms like Facebook and Telegram, “ Suderman writes. “A Facebook group called Wire Wire.com, which was until recently available to anyone with a Facebook account, acted as a message board for people to offer BEC-related services and other cybercrimes.”

Suderman concludes that organizations of all sizes need to be wary of BEC scams.

“Almost every enterprise is vulnerable to BEC scams, from Fortune 500 companies to small towns,” Suderman writes. “Even the State Department got duped into sending BEC scammers more than $200,000 in grant money meant to help Tunisian farmers, court records show.”

New-school security awareness training can enable your employees to thwart these types of social engineering attacks.

New insights into the state of data security show a clear focus on the weakest part of your security stance – your users – and organizations doing little to address it.

It’s frustrating when the answer is right there in front of the face of organizations today and you have to watch them scramble around the problem without really addressing it. This is exactly what I see in the data found in Thales’ 2022 Data Threat Report.

Within the report, we find data points of brilliance around awareness of the problem of users:

• Human Error is seen as the highest threat to organizational security, with 38% of organizations ranking it as the top threat. For reference, Nation States was only a top concern for 28% of organizations.
• 29% of organizations ranked ‘accidental human error’ as the top threat (and , again, for reference, only 17% ranked external attackers with financial motivation as a top threat)
• 79% of organizations are concerned about the security risks with an increasingly remote workforce

It’s evident that users play a role in making an organization insecure, right? So, we’d expect to see lots of spending on ways to secure the user. But according to the report, organizations are prioritizing network security (e.g., Intrusion Prevention Solutions, gateways, firewalls), key management, cloud security, and zero trust solutions.

It seems like the focus is way too much on trying to prevent data from leaving, instead of stopping attackers from ever getting in. With the data showing organizations are very aware of the factor users play in cyberattacks, I would expect to see more focus on Security Awareness Training to reduce the threat surface of phishing – a primary attack vector in nearly every kind of cyber attack. This kind of training helps to establish good cyber hygiene, a sense of vigilance, and has been shown to reduce the risk of users falling for social engineering tactics employed within phishing attacks.

Thanks to breakneck advances in technology, data’s integration into everyday life, and the increasing recognition of how it can be used to enhance and add value across various different areas, hard-walled silos in the IT industry are increasingly irrelevant.

According to the University of Canberra’s Professor of Affective Computing, Dr Roland Goecke, integration is key, and this creates a myriad of opportunities for the IT professional who wants to remain on the leading edge of the industry, and also make a real-world impact in people’s lives.

“Realistically, we’re early in the development of the data revolution, still in the pioneering phase in terms of widespread adoption – so now is the time to enter the field to shape its future,” he said.

“The first step is to have the understanding and knowledge to appreciate where data science, cloud computing or business informatics – to name a few – can make an impact.

“I believe that everyone will need some of these skills to varying degrees, across many different areas including business, government and environmental organisations.

“To make an impact in your field, it’s necessary to equip yourself with the relevant skills to tap into and create that impact, whether that is with a Master of Data Science or a Master of IT degree –upskill with a program that keeps abreast of the latest developments in the field, yet gives a valuable grounding.”

Fitbits and Apple watches everywhere

With an eye on the data science field, Professor Goecke sees some clear opportunities emergent.

In fitness-centric Australia, it seems that more wrists sport Fitbits and Apple watches than ever before – and that’s just data in a personal health and fitness setting.

“One of the fastest-growing areas, in which we see data science playing a constantly expanding role, revolves around health – and wellbeing-related data – whether that is in a clinical or hospital setting, or your fitness tracker measuring your heart rate,” Professor Goecke said.

“Health data is everywhere.

“However, in Australia, there is a shortage of data scientists who can deal with health-related data, because it’s not really taught as a direct specialisation in the health area.”

Professor Goecke says that when working with health-related data, it is important to have both the technical skills and a keen understanding of health settings – these could range from care provided at home to healthcare in rural and regional community settings.

“We need multidisciplinary teams working with health practitioners to make sense of health-related data,” he said.

“This can include population data. For instance, if you have been following news and communications around the COVID-19 outbreaks, vaccination rates, and how they relate to spatial data – the analysis of this would fall at the intersection of data science, informatics and epidemiology.”

Applying data science and informatics knowledge to sports strategy and analysis is a natural segue from health-related data applications – and it spans the spectrum from elite sport to everyday health and wellness.

“Modelling plays a huge part in this aspect of data science,” Professor Goecke said.

“Sports data analysis has taken huge steps – scientists can use data to measure not only performance, but the realities of training mode, and injuries incurred.

“Most of the professional leagues have GPS trackers in their clothing, which track positioning, acceleration data – but even if you have access to that tech, what do the results generated mean? How do you turn that into something meaningful for the coach – for instance, how much recovery time might an athlete need?”

Save the planet

With climate change a particularly hot topic – even more so with the recent COP26, or 2021 United Nations Climate Change Conference, dominating global headlines – Professor Goecke sees this as another area of opportunity for budding data scientists to make a difference.

“This is an area in which data scientists can have a huge impact on conversations around conservation, for instance,” Professor Goecke said.

“Imagine the ability to model what it means for the ACT or the Yass Valley to receive more or less rainfall, or to interpret the data gathered by camera traps and drones for animal conservation, and present it in a way that will help people to understand a conservation message – because the flipside of working with data is to be able to communicate what the data means.”

Professor Goecke says that traditionally, there has been a lot of emphasis on data-related technologies and techniques, but less focus on communications.

“While data science has grown out of maths and stats departments around the world, it is now one of the foremost areas highlighting the need for science communication skills – certainly, if you want to translate any of your work into policy and impact,” he said.

“Ideally, we need to understand that a 10-page report could probably better be visualised via Virtual Reality (VR) or Augmented Reality (AR), as a way of closing the loop and getting the message across.”

Professor Goecke also sees both an opportunity and a need in building the framework to scaffold data science work.

“Not everything that is technically possible should automatically be done, and questions of ethics and privacy always need to be considered,” he said.

“We need to look at such questions in the broader social context, and seek answers to questions like how should data be used, where and for how long it should be stored, what kind of energy and environmental impact this could involve?”

Professor Goecke feels this self-reflective questioning of the industry is a necessary ongoing process, as there is little current regulation.

“This is an area in its infancy, and one of great promise – but it needs to have safeguards built around it, the right oversight and ethics in place. There needs to be a balance of privacy and development – as data scientists, we need to make wise, clear-eyed judgments on a daily basis.”

Stolen client data from Mailchimp put customers of the cryptocurrency hardware wallets on notice of potential social engineering attacks claiming to be Trezor.

This week, email marketing company Mailchimp announced this week a data breach on March 26 after it discovered a threat actor using compromised credentials to gain access to the company’s internal customer support tools. In total, audience data was stolen from 102 customers in the finance and cryptocurrency sectors – likely to be used to phish the customers of those 102 companies.

Over the weekend, crypto hardware wallet maker Trezor emailed its customers informing them of the compromise and provided instructions to customers to update their Trezor Suite:

“Trezor has experienced a security incident involving data belonging to 106.856 of our customers, […] If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet.”

Trezor also posted tweets about their data being compromised on April 3^rd, warning customers that they would not be communicating via email to the time-being until the situation is resolved.

The initial Mailchimp compromise began as a phishing attack. According to their statement about the attack, “The incident was propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”

This attack is an unfortunate example of the potential ripple effect a single phish can have. While Trezor customers appear to have remained unscathed, you can see how a one user falling for a phishing attack could have impacted thousands of individuals and businesses. It’s why we’re so passionate about Security Awareness Training here at KnowBe4 – by training users to be vigilant at all times when interacting with emails, the risk of falling for social engineering tactics employed within a phishing attack is much lower, resulting in an equally lowered success rate for the initial attack itself.

New data from the FBI’s Internet Crime Complaint Center (IC3) shows a massive increase in the cost of internet crimes, with phishing and BEC topping the list.

The IC3’s recently-released annual Internet Crime Report gives us a broad picture of what kinds of cybercrimes are being perpetrated across the U.S. every year. This year saw increases in the number of reported cases – 847,376 (a 7% increase), and the amount of losses hitting nearly $7 billion!

From the case data, the IC3 helps us focus in on two specific concerns for businesses. First, is phishing/social engineering scams; the 323,972 cases made up 38% of all reported cases in 2021 and represent a 34% increase in case counts. The second is Business Email Compromise, which was responsible for nearly $2.4 billion in losses, but only slightly less than 20,000 cases. This equates to an average loss of $120,000 per case.

Ransomware cases were notably low on the spectrum – with only 3,729 cases and $49.2 million in losses. With ransomware being considered the number of cyber threat today, I’m guessing the IC3 simply isn’t being contacted in most cases. Even so, the healthcare sector dominated the list of victims by industry, with financial services, information technology, and manufacturing following in the list.

Phishing, BEC, and Ransomware are serious cybercrimes with even more serious repercussions. All tie back to the use of social engineering tactics to fool victims. Security Awareness Training is key in stopping these kinds of attacks at the common juncture point – when threat actors require corporate users to act in order for the attack to continue. Those users that take the training are more apt to spot an attack and stop it in its tracks.

Mobile phones will not exist in ten years’ time, a data scientist and futurist has predicted in calling out the breakneck pace of the “absolutely game-changing” Industry 5.0 paradigm that she called “not the Internet of Things, but the Internet of Bodies”.

“Lots of people are talking about the new normal, but the new normal in the world of emerging technologies is every week,” Dr Catherine Ball, a data scientist and systems engineer at Australian National University, said in a keynote to the ADMA Global Forum.

“We are now working with exponential and bleeding-edge technologies that are moving so fast that we don’t even have the words to describe what they actually mean.”

As distinct from Industry 4.0 – an industrial paradigm built around the idea of highly-connected, self-monitoring and self-optimising production processes that lean heavily on IoT sensors – Industry 5.0 will be based on convergence of data and human-centric technologies that will dramatically change the way people interact with services, with the world around them, and each other.

Noting that ANU scientists have already produced mobile phones as thin as a piece of paper, Ball said today’s human-focused technology was rapidly being subsumed into wearable and implantable devices that would make phones as standalone devices redundant.

Innovations such as the smart contact lens – conceptualised by Google in 2013 and recently demonstrated by South Korean researchers – will allow people to “project what we want to see, not what is,” Ball said.

Rather than using smart mirrors to virtually try on clothes and accessories, for example, an Industry 5.0 approach would see a composite image projected directly onto the wearer’s contact lens – or, as is being increasingly discussed, directly into a digital metaverse where responsive avatars can interact with highly detailed simulacra of real-world or imaginary spaces.

Those digital environments aren’t just about marketing, however: with increasingly detailed digital twins becoming commonplace, metaverse interaction will allow people to interact with real-world systems in new ways.

Large-scale digital twins of a country like Vanuatu, Ball said, would even allow weather scientists and emergency-response specialists to simulate the impact of different extreme weather scenarios.

“It’s about convergent technologies,” Ball explained. “It’s about how the future is more than the sum of the parts – and before we even start talking about the metaverse, how we’re going into a space where data is being produced and consumed in ways that we have never done it before.”

Get data right before it does you wrong

Yet for all the promise of Industry 5.0, the burden of collecting, managing, and utilising the data was posing new challenges as brands consider how to re-engage with consumers that are retraining themselves for life in the “post-plague economy”.

“We’re at a tipping point,” Ball said, warning marketers that trust will be crucial in rebuilding those relationships – and that laying down a coherent and effective data management strategy is critical to achieving that trust.

“In the last two years we’ve connected online in ways that we’ve never connected before physically,” she said, “so how do you maintain those relationships and maintain those personal trusts?”

“This isn’t about just shoving ads at people,” she continued. “This is actually working how we are as individuals going to be, as a human concept, producing data that you might be collecting, but also consuming data that you might be producing.”

“We’re going from technology and device-led conversations to social function and social license – and ethically driven ways of working.”

Use of data for the common good – for example, in better understanding natural disasters like the current Lismore floods, or modelling bushfires to better manage outcomes and minimise human impact – will be a key output of Industry 5.0, Ball said.

Yet faced with “data tsunamis” from the sheer volume of multi-modal, multi-platform data now being collected and used, she added, companies needed to consider practical issues – for example, whether they should invest in sovereign data capabilities and how they can ensure that their use of AI respects ethical and moral norms.