Surely, without a doubt of any kind, in your company you have suffered, if not thousands, hundreds of “SHING type attacks". What do you bet?!
In companies we have a lot of software, hardware, professional services and measures, more or less strict, to protect our physical and digital assets. But, besides this...
- Do we take into account the weakest link in the chain?
- Do we take into account the attacks of social engineering?
- Do we take into account the Human factor, which represents the 74% of incidents, according to him 2023 Data Breach Investigation Report of Verizon?
On the other hand, the 98% of cyber threats that companies face, starts with an email that arrives in the mailbox of one of its employees, as also reflected in the report. In the end, people are receptors and activators of threats.
And, furthermore, the 95% of cybersecurity problems can be attributed to human factor, as pointed out by Global Risk Report 2022, 17th Edition, of the World Economic Forum.
Well, we also have to face this with all our strength, the cyber attacks directed at people, to protect people to protect our corporate assets.
It is no longer just about having artillery and protection and prevention tools, we must also raise awareness, train and train our employees, partners and suppliers (everyone who accesses and uses our systems and services), so that they do not fall. in deceptions and scams that appeal to sensitivity and human behavior.
The manipulation of people, the psychological manipulation, appealing to situations of urgency, of solidarity, of fellowship, social, etc., are part of the most used and effective techniques used by cybercriminals.
In short, the use of Social engineering. And a good part of it comes to our company as “SHING", he art of deceiving people, to get them to do what you want them to do and, in most cases, without having to use malware, is ransomware, not advanced technologies, not even any type of technology, but only use people to attack.
It sounds familiar to us, right? If he "shingle” is a well-known and very internalized threat, with which it is difficult, or very difficult for us to fight, both at the individual level in our homes and personal or family devices, and in the corporate sphere of companies of all types and sizes: phishing, smshing, wishes, QRshing, CEO fraud, ataques BEC (Business Email Compromise) O commitment of accounts. We know them, right? And, why have we received them (a lot) in our companies? Have we stung? What repercussions have they had?
What is the phishing? He INCIB defines it very briefly and clearly as “the hook in your inbox”, but adds a more technical and professional definition:
“He phishing is a technique that consists of sending an email by a cybercriminal to a user pretending to be a legitimate entity (social network, bank, public institution, company, supplier, partner, etc.) with the aim of steal information private, perform a economic charge O infect the device, through its content, attached files O links to fraudulent pages in the email”.
And, in those types of attacks “shingle”, there are many modalities, in addition to the phishing that arrives by email:
- Smishing, which combines the menages sms and the phishing as such, using text messages to direct victims to false, illicit, or fraudulent websites, and even request recipient users to take some type of action.
- wishing, consisting of an attack of phishing through a phone call, in which the caller tries to impersonate someone legitimate such as a company, an official body, a public administration, a supplier, a client, etc., and requests from the recipient of the call certain types of personal, private, or information. confidential, and even take some type of action.
- QRshing, which uses the reading of QR codes false, fraudulent, illicit, or malicious to lead users to a website o one form from which it is downloaded malware, or where request introduction of personal, private or confidential data.
- Spear phishing, which, being an attack of phishing In any of its modalities, it is a attack specifically directed at one person (or several) in the company, to a company employee, to a public body or administration, to a specific company, to a specific organization, to a politician, etc. It is a type of phishing further "studied”, elaborate and efficient, since cybercriminals have previously investigated the organization, its employees, the people to attack, already knowing the recipients, their habits, roles, responsibilities, capabilities, access they have, to information to which they can access, permissions to carry out certain types of activities and, therefore, what they can get out of them.
- Whale phishing, Whaling, O Whishing, which, being similar to spear phishing, differs from him in that, in this case, the attack is directed at specific people of very high standing. High profile within the company or organization (a “fat fish” of the organization such as the partners, the president, the members of the Board of Directors, the CEO, the General Director, the members of the C-Level, and even other types of corporate profiles, such as the DPO, etc.) , which have access and manage specific information of a confidential and strategic nature.
- Pharming, which consists of a type of phishing more sophisticated, since Cybercriminals redirect traffic from a real website, truthful and legitimate (through different types of techniques), to a fake website, fraudulent or illegitimate, where the privacy and security of the information is compromised.
- Clone phishing, consisting of a cybercriminal intercepts and previously obtains a legitimate organization email supplantada, which later modifies (generally by entering text with instructions for the recipient to apply, or a fraudulent link or even attached files with malware). This achieves a greater degree of reliability of the message and, therefore, more effectiveness.
- Angler phishing, O Phishing social, through which cybercriminals make a identity fraud, or simply, they pose as a technical support worker of a company (for example, the case of Fake Microsoft Technical Support who calls us by phone), or from the purchasing department, or billing department, or similar, to deceive the recipient and make them provide certain personal and/or confidential information of the company.
- CEO fraud. In this case, although similar to the previous case, there are also situations in which, within a company, the identity of a senior official is impersonated (generally with specific weight, such as the CEO, a manager, a department head, etc.), to ensure that the recipient of the message (an employee) trusts that the message really comes from who it seems to come from, being legitimate and , therefore, the employee does what he is told to do in that email. These types of attacks, or attack techniques, are also known as Ataques BEC (Business Email Compromise).
- Malvertising, which goes somewhat further, since the cybercriminals they come to buy advertising and ads on social networks and platforms (e.g. animated and clickable images and banners), including links to illegitimate and/or fraudulent sites. A specific case of this type of attacks is that of Pop-Up phishing, which displays pop-up messages (generally notices, advertisements, or advertisements) when visiting a web page. However, these fraudulent ads They could be displayed in any other way.
- Black Hat SEO, Search engine phishing, O SEO Poisoning. In this case, things are more complex, since the cybercriminals They have a strategy They work and invest money in manipulating SEM/SEO positioning of its links on the Internet, with the aim that they always appear in the first positions of search engines such as Google, Bing, and Yahoo.
- Fake WiFi Phishing, O Fake hotspot phishing, O Evil Twin Phishing, which consists of the cybercriminals generate a fake WiFi yours, which looks like another open public WiFi, already existing, and available, in a specific place, where users connect thinking it is the correct one.
- SIM Swapping, through which cybercriminals convince service providers to transfer phone number of the person you intend to attack to a new SIM card. With this, attackers gain access to messages and calls from the attacked person.
- Watering hole phishing, O watering hole attack, which involves a specific attack on a specific company or organization. The cybercriminals They detect the websites, domains or URLs that are visited the most or with the most traffic from the devices of the employees of a specific company and redirect them from those correct URLs to malicious URLs (owned and managed by the employees). cybercriminals) that can download malware. It can resemble the pharming, but it is not exactly the same.
- Hishing O Hardware phishing which, although it may not contemplate a technique of deception as in previous cases, consists of the cybercriminals, through various methods, “hide” malware on different devices (computers, laptops, mobile phones, etc.) that are going to be delivered to other users (rental, new sale, second-hand sale, etc.).
And, without a doubt, there are, and will be, many more variations and nuances regarding techniques, mechanisms, tricks and deceptions for the cybercriminals They achieve their goals.
These types of attacks phishing which, after all, in most cases, use the social engineering, they coexist, are combined and can even be combined with other attack tactics that also use it, such as:
- He Pretexting seeks to get the attacked person (the victim) to provide personal and/or confidential information, using a “pretext" O "pretexts” (excuses) that address your interests, those of the company, the business, etc., and motivate you to do something specific due to a supposedly necessary urgency to act, urgency, aspects of solidarity, social issues, etc. Thus the cybercriminals They manipulate their victims into doing what they want them to do. Some cases, types or examples are the cheats O scams that refer to situations related to a supposed Technical support (for example, the case of Microsoft Technical Support), the case of CEO fraud, the economic ones, related to assumptions awards, inheritances and gambling, etc.
- He Baiting consists of depositing the leave "abandoned” a storage device (a USB stick, a removable hard drive, an SD memory, or another type of device) containing malware inside. The objective is that whoever finds it, takes it, accesses it, uses it and connects it to other devices, in order to infect you and thus spread said malware, affecting massively. Other variants, depending on the medium or place in which that malware resides, may be Fake WiFi Hotspot (where a WiFi access point), code reading Fraudulent QR codes (QRshing), fraud in Social Networks or Social Media (where they are shared URLs, links, links even images O multimedia elements clickable, from which the malware), Own Black Hat SEO, etc.
- He Tailgating, which is the set of techniques social engineering with which cybercriminals they get a Unauthorized access, to the company network (or any other service or system that has validation/login), by analyzing the behavior of users/employees. Some of these techniques can be Keylogging (by which the keystrokes carried out by users/employees), or the Bluetooth Hacking (or attack and access to communication Bluetooth for "sigh" O intercept the information that passes through it), among many others.
As we have seen in all of them, the cybercriminals They use different channels, means, or mechanisms to act, where the main ones are usually the following:
- Email (phishing traditional).
- SMS messages of text (smishing).
- calls telephone (wishes).
- QR codes (QRshing).
And all this is the order of the day, even more so than we think. Infinity, the vast majority, of cyber attacks Successful attacks perpetrated against companies, against organizations and their employees, are based on these mechanisms or techniques. For information, a button… during 2023:
- He 41% of the cyber incidents They started with a case of phishing, according to him X-Force Threat Intelligence Index, of IBM.
- He Email is the main threat vector. He 98% of threats start with an email by way of attack directed at people, of which, the 12% are cases of phishing and the 49% cases of credential theft, according to him 2023 Data Breach Investigation Report of Verizon.
- Three out of four email incidents (phishing and others) are aimed at SMEs, according to Coveware.
- But the investment of companies regarding protections To combat these situations it refers, It barely accounts for 10% of their budgets, according to the Information Security Worldwide 2019 - 2025 of Gartner.
As we see, this scenario has a huge impact on companies, any type of company, causing damages as notable as economic losses, reputation losses, financial fraud, legal and regulatory breaches (with their respective penalties, sanctions and fines), improper access, data loss, identity fraud, even with the discontinuity or stoppage of business temporarily transitory, or permanently, which could mean the cessation of business.
It seems that companies have not yet put all the meat on the grill for take the bull by the horns, since it is not only about taking technological measures such as the implementation of very powerful technological tools, nor strict control systems, nor continuous monitoring of communications, nor management of risks and vulnerabilities, nor to have the best mail filtering, nor to guarantee the best models of authentication…it's also about people.
In short, it is about this and, in addition, about protecting people, employees, and providing them with all possible resources so that they do not bite, so that “do not fall into temptation” (tools, professional services, managed cybersecurity services, awareness, training, coaching, etc.).
Don't you think that your company can easily find itself, at any time, in one of the situations we have described?
Maybe your company needs help cybersecurity professional services like the ones we offer in Zerolynx: Cybersecurity Services.
If you prefer, contact us and we talked.
Íñigo Ladrón Morales, Content Editor for Zerolynx.