National Connections, Local Ownership
National Connections, Local Ownership

Clark: Latest hacking schemes used by cybercriminals

Originally appeared in Fleet Owner

Hacking into a company’s data used to require a decent amount of technical knowledge and skills that would enable cybercriminals to infiltrate your systems to capture your most sensitive data. That is no longer the case.

In the horror story world, a vampire has to be invited into your home rather than just walk in. The same holds true for cybercrimes now. The most effective and cheapest way in is to trick an employee into inviting that criminal in. The employee has no idea that they’re helping bad actors harm your company, but phishing scams are pretty sophisticated and seem to know how to get employees to open that door. Vade, a global company for AI-powered email security, published its Q3 2023 Phishing and Malware Report, which found that phishing volumes had “increased by 173% compared to the previous quarter (493.2 million versus 180.4 million).” And once a cybercriminal gets into your system, it can cost you… big time.

It’s tough to keep up as the scams keep changing

Unfortunately, as the business world catches on to the latest scams and educates employees to recognize them, bad actors figure out new ways to get in. It’s a never-ending cyber whack-a-mole. Here are just some of the latest schemes to watch out for:

Let’s be friends: In this instance, an employee gets a text message on their mobile device that “obviously” was supposed to be sent to someone else. Realize that the bad actor has already done their research on the employee they’ve texted, so if the employee responds, the scammer starts an ongoing conversation that can seem entirely harmless. Once a relationship develops, the scammer convinces the employee to download an attachment that will (according to the bad actor) help the business. Once that download occurs, the bad guys are in your system, ready to wreak havoc.

Juice jacking: This is especially problematic for people that travel for business or people that work while they’re sitting in a public place, like an airport or coffee shop. Warn your employees to be very careful about charging their device through that location’s public USB port. Juice jacking is the term that describes an insidious plot where cybercriminals load malware onto the charging stations. Once a person uses the charger, he or she unintentionally is exporting personal data and passwords directly to the criminal. If the device being charged is a work device, your worker has just exposed your business to the hackers.

The fake invoice: Here, a bad actor creates and sends a fake invoice that appears to come from a known supplier indicating that the bank account or address has changed. Then they’ll ask for wire transfers or payment methods that take time to verify. If there are numerous suppliers and the company is still using manual processes, it’s easier for fake invoices to get through.

Whale phishing: It’s not just the rank and file that can be taken in. Even the C-suite and senior executives can fall victim to a phishing attack known as a Whale phishing. In these cases, higher level executives and those with access to financial information or other sensitive information are targeted.

These phishing emails are more sophisticated and usually convey a sense of urgency along with personalized information about the individual targeted as well as the individual it is assumed to be coming from (usually another executive-level person). These phishing attacks require a reaction from the recipient, which can be anything from a wire transfer of funds to clicking on a link that unleashes malware to simply gaining more information about the business for further attempts.

Social media madness: If your company posts information on a social media site discussing signing up a new client, making someone a partner, or even developing business with a new supplier, that information is available for all to see. Using the information provided, bad actors create a social media profile pretending to be a senior official from that partner, client, or supplier requesting data that they claim they need for their own purposes.

Training is key to cybersecurity

In each of the above cases, hackers were inadvertently let into the data without your employee (or executive) ever suspecting a thing. This is why making cyber training an essential part of your company practices and protocols is essential. Anyone can be the entry cybercriminals are looking for. There are a number of companies that specialize in training staff. Avail yourself of a reputable company; it could end up being the best investment you could make.