Consumer sentiment numbers reflect this general trend. Consumer confidence is below pre-pandemic levels in almost half of the countries that Ipsos polled in March. These feelings of unease make people a natural attack vector. Emotions make people irrational, unpredictable, and vulnerable. Intruders have exploited this for decades and current world tensions provide the perfect opportunity for these well-honed social engineering techniques. How are they likely to come at your employees, and what can you do about it?
A history of hi-jacking current events
Online criminals repeatedly exploit current events that provoke visceral feelings among the general public. Their scams lure victims with content that invites them to take action, giving them a feeling of empowerment and control in troubled times. In natural disasters, people feel sympathy and want to help. When an earthquake and Tsunami hit Tohoku, Japan in 2011, quick-acting scammers exploited people's sympathy by sending phishing emails asking people to help the victims. Any donated funds quickly lined the criminals' pockets. When the pandemic hit, people were anxious and eager to protect themselves, especially in the early days when information was difficult to find. In the early months of the crisis, researchers saw spear-phishing attacks rise dramatically, from 1,188 in February to 9,166 in March (representing about 2% of attacks).
Attackers are happy to play on fear rather than compassion, and there are no limits on how low criminals will sink. One pandemic scam, sent over a thousand times, threatened to infect victims and their families with the coronavirus unless they paid up. Scams offering cures and soliciting investments in fake vaccine companies were also rife. Now criminals are turning their attention to the escalating geopolitical situation. According to researchers at Google, financially motivated actors are exploiting war-based themes and in the most heartless ways. For example, one criminal group is impersonating military personnel and demanding money to rescue victims' relatives from dangerous areas. Another hacking group is impersonating aid organisations and soliciting donations for victims.
How do attackers move so quickly?
Phishing groups can react quickly to new global events thanks to a sophisticated set of tools that allow then to mount sophisticated attacks at speed. These toolkits, with names like Rock Phish, make it easy for even non-technical users to get in on the action. Phishers can use them to prepare multiple web pages representing different organisations. They can also register multiple domain names with words and phrases linked to the cause or topic they're addressing. Open-source phishing toolkits like SniperPhish and the Simple Phishing Toolkit are even available for free, lowering the entry barrier to zero. They target infosecurity professionals who want to mount benign phishing campaigns that they can use to test their employees' defences. Like most other cybersecurity and ethical hacking tools, criminals can weaponise them for real-life attacks.
Multi-factor authentication (MFA) might protect employees against some phishing attacks, but there are now over a thousand such toolkits designed to intercept MFA sessions using manipulator-in-the-middle (MiTM) attacks. Even if you think your employees wouldn't fall for threats or fake donation scams, there are always other kinds of attacks. Criminals also appeal to people's curiosity. They'll post what purports to be a salacious video relating to a current event on social media. They'll offer supposedly exclusive footage of disasters or scenes from a conflict but hide it behind a link. When the victim clicks the link, they will be infected by malware.
Phishing on work and personal systems
These attacks are dangerous enough when people access them from work machines, but the blending of work and personal life with the rise of remote working has renewed this threat. If they fall for a hacker's social engineering attack on a personal device that they also use for work (or vice versa), then it could compromise work-related data and account details.
The prevalence of mobile devices has blurred the lines between work and personal life even further. Employees working remotely often use their smartphones for work activity, and mobile phishing via text messaging (also known as SMS phishing or smishing) is a common problem. These attacks have been on the rise, and three-quarters of organisations suffered from them in 2021.
How can you protect your employees against these attacks?
Security awareness training can teach them to approach online sessions and emails mindfully, watching for suspicious activity and stopping to think before taking the click bait. There will always be a small subset of users that forget those warnings, so it's important to shore up your human defences with extra technical measures. These should be multi-layered. It includes endpoint protection covering computers outside your network, email scanning and quarantine, and content scanning that watches for browser access to known malicious destinations.