CSO posted a great article that I think all business people should read, internalize, and use in their company’s employee training programs. The article called “Four of the newest (and lowest) Social Engineering scams” says that the number of spear-phishing campaigns jumped 91% in 2013.
Social engineering is big business, pulling in millions of dollars annually for thieves and phishing emails are the tool of choice for tricking people into clicking on malicious links.
Now, cyber-criminals are upping their game to inject nasty strains of malware onto workstations that worm their way onto shared servers stealing, encrypting, or deleting data, etc.
According to the article, here’s what the cyber-criminals are up to now:
- We’ve all heard of Cryptolocker last year, now a new variant called CryptoDefense has popped up in 2014. Systems infected with this malware have their files encrypted and the thief requires a ransom for the key to unlock the files. If not paid in a certain amount of time, the files are lost.
- Phishing emails are sent to a targeted person within a company, then the thief posing as an employee calls and asks that person to click on a link in the email.
- After stealing thousands of credit card numbers, criminals use “Robocalls”, posing as credit card companies asking for credit card expiration dates and security codes. Let’s face it, making thousands of automated calls will yield a few people falling for the scam, making this a lucrative business. Now, thieves have graduated to calling businesses to gleam data about company credit cards.
- With the massive data breaches of 2013 and early 2014, criminals have learned to merge and mine the data for personally identifiable information and use it in targeted email schemes posing as health-care providers, insurance companies, etc.
- Criminals are using emotion-laden emails, posing as funeral homes announcing the death of a friend or family member, getting people to click on links to spoofed websites where malware is automatically downloaded onto their computers.
The article highlights what XSolutions has been telling its clients for years. Small-to-Medium Businesses (SMBs) are being particularly targeted. The article mentions that attacks on SMBs comprise 41% of all phishing attacks and that number is rising as large companies strengthen their defenses and increase employee awareness while SMBs remain vulnerable. Many SMBs feel that they are too small and criminals will bypass them for larger and more lucrative targets. This is simply not true.
Small-to-Medium size businesses are now the preferred targets of cyber-criminals. Updating security systems, making sure that you have viable backups of your data, and employee education are key tools against becoming a victim.