Cybercriminals are increasing the use of highly-targeted and sophisticated social engineering schemes designed to steal passwords. This was among the key takeaways from the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, commissioned by Keeper Security.
Cybercriminals like social engineering schemes because they work. The weakest link in any organization’s cybersecurity is its own people; this includes not only employees but also third-party vendors with access to IT systems. Once a cybercriminal has a working password, it’s game over. They can blow right past antivirus and intrusion detection systems and go wherever they want in the network. In fact, 69% of respondents to the Ponemon study said they’d experienced an attack in the previous 12 months that had evaded their intrusion detection systems, and 82% were targeted by attacks that got past their anti-virus solutions.
With that in mind, here are three threats we can expect to see a lot more of in 2020, all of the flavors of social engineering schemes:
#1. Phishing & smishing
Phishing has evolved. Mass spam email campaigns are giving way to highly sophisticated, targeted business email compromise (BEC) scams. Additionally, because a lot of people use their phones for SMS/text messages more than they do for calls these days, cybercriminals are sending malicious messages, a practice known as “smishing.”
While most people know to be wary of clicking on links in emails, many people are still unaware of the dangers and prevalence of smishing, so organizations would do well to educate their employees about it.
#2. Deep fakes
For some time, cybersecurity experts have been deeply concerned about manipulated and malicious videos and audio, known as deep fakes. Unfortunately, the threat that deep fakes pose is no longer hypothetical. A few months ago, an energy company in Europe lost $243,000 when a cybercriminal used an audio deep fake to impersonate the CEO. As the technology to create frighteningly realistic deep threats continues to improve, expect them to be used for more wire transfer fraud, account takeover (ATO) attacks, and other cyber scams.
#3. Election-related cyber attacks
Cyberattacks and social media misinformation/disinformation attacks against government agencies (systems, databases, and people) will grow in frequency and intensity as the 2020 U.S. presidential election approaches. These won’t be lone wolf “hacktivist” attacks. They’ll be orchestrated by highly organized, well-funded nation-state actors who have been laying the groundwork for years.
Defending your enterprise in 2020
Defending against these threats requires a multi-pronged approach.
- Make sure your employees receive ongoing cybersecurity training, particularly awareness of phishing and smishing since those are among the most likely scams they will encounter.
- Be aware of who is accessing your network, and establish and enforce role-based access control (RBAC).
- Establish policies that require any requests involving money or payment instructions to be confirmed and signed off on by more than one person.
- Above all, establish and enforce a company password policy that mandates the use of strong passwords, 2FA and a password manager such as Keeper.
Keeper’s business and enterprise password management solutions give organizations visibility into employee password practices, allowing them to monitor password use across the entire organization and enforce strong passwords, 2FA, RBAC, and other security policies.