The Context
Threat 3: ‘Business as usual’ social engineering
What’s the risk?
Sometimes risks and threats take us by surprise, like war in Europe or the Coronavirus pandemic. But more often than not, the future has a lot of the past in it. So while it’s possible that Terminators will be smashing their way through society by 2030, tomorrow’s cyberthreats are more likely to be an evolution of existing trends – all of which feature heavily in Police reports from 2022.
of businesses having experienced a phishing attempt in 2022
Phishing
Still the number one cyberattack technique, with 83% of businesses having experienced a phishing attempt in 2022, according to the UK Government’s latest Cyber Security Breaches survey. Global phishing traffic more than doubled in 2022, with attempts to impersonate trusted services like AWS, Google and Microsoft increasing by over 80% in the same period.
Malware attacks on endpoints
Hybrid working is here to stay – and so are malware attacks on remote workers’ devices. With employee’s laptops and smartphones now frequently outside corporate networks, the risk of malware infection is a concern for 32% of businesses with remote workforces. Endpoint security will remain a high priority heading into 2023, as security policies catch up with the hybrid working trend.
Invoice fraud
Invoice fraud was the biggest cause of financial loss for businesses in a three-month period between late 2021 and early 2022, according to data from Barclays, and increased by 13% year on year. Scammers’ techniques to watch out for include impersonations of legitimate suppliers, and seemingly innocent requests to change suppliers’ payment details.
Identity theft
Fraudsters can and do impersonate businesses for financial gain, with this technique costing businesses in the US alone billions of dollars each year. Techniques range from simply impersonating a business to procure goods, to a full Corporate Account Takeover where criminals gain unrestricted access to the network and its data.
Burglaries for data
Social engineers are skilled at gaining entry to business premises. How much harm could a criminal impersonating a HVAC or fire safety engineer do simply by pocketing an unlocked smartphone from an employee’s desk? Especially if that person’s business emails were easily accessible, and if they worked in finance or IT? As cyber security gets stronger, be alert to determined criminals looking to access your systems and data by other means.
A lot of these threats can be overcome by a mix of training, organisational culture modification and technical controls. It is more important than ever to tackle these issues proactively. No-one wants to see cybercrime techniques like SQLinjection celebrating its 21st birthday on websites.