Phishing is today’s biggest cybersecurity threat. Cybercriminals are constantly revising and upgrading their tactics to take advantage of fortuitous circumstances, and a fresh spate of GDPR compliance phishing scams highlights their ability to capitalize on human error, as we’ve seen this year to chilling effect.
Bad actors specialize in taking advantage of fear, uncertainty, complexity, chaos, and misinformation. The COVID-19 pandemic was exactly the kind of tumultuous world event that enables bad actors to thrive. But an event or concern doesn’t have to be that epic to drive cybercrime. Savvy cybercriminals can use social engineering to turn something as routine as compliance into a phishing bonanza.
Advice for avoiding data privacy violations
GDPR is a specter that haunts many compliance officers and business owners. A wide web of communications on the subject allows inaccurate information to proliferate. The complex nature of GDPR requirements, regulations, and guidance is a source of stress. With stories regularly hitting the press about big fines for data privacy violations, these factors have combined to create a situation that makes businesses more likely to look for advice from a firm that specializes in GDPR compliance, especially when making changes to their cybersecurity suite.
That’s exactly what has happened recently to many businesses operating under the GPDR umbrella. Helpful specialist firms that specialize in GDPR compliance are reaching out to let businesses know that the email security system they’re currently using doesn’t meet today’s GDPR compliance standards. One example of this has been a GDPR compliance specialty firm that spotted a problem, and looked to help the non-compliant business resolve this fast.
Understanding the nature of the threat
Except, they’re not really GDPR compliance specialists or even real service businesses – they’re cybercriminals, and the only thing they’re serving up is cybersecurity disaster. These messages are especially likely to target business owners, executives, and other individuals within organizations that could be expected to have highly privileged email accounts, giving the bad actors the maximum return on their email scam investment.
First caught by Area 1 Security on August 31, a common GDPR email security phishing message preys on misconceptions regarding the relatively recent, yet stringent data protection law to create a sense of urgency and fear in recipients. It is low-hanging fruit – GDPR regulations are known to be strict, notoriously complicated, and rife with red tape, so it’s not a hard sell. No one wants the headaches that come with non-compliance, so they’re likely to be receptive to the fake offer of “help” with their company’s “problem”.
Then the cybercriminals pounce, using highly convincing messages and landing pages to encourage the target to begin fixing the problem by filling in some information and handing over their email credentials. Typically, these scams use a poisoned link to drive victims to fill out an HTML form or provide information that enables the “specialist” to make necessary changes. Unfortunately, that also includes the credentials for the target’s email account.
Be aware of the common clues
All of this is presented very reasonably, making it an easy social engineering attack to fall for. Some variations of the scam even spoof internal company emails, with the cybercriminals posing as corporate IT techs that are performing routine maintenance, including the right graphics, header, signatures, and other details that make it convincing.
Targeted executives or other power users may even arrive at a landing page that’s personalized just for them, with many relevant details already populated so they only need to provide a few things to finalize the upgrades. However, small flaws often enable observant staffers to spot the fakery. Some potential clues include:
- Small mistakes in spelling, punctuation, usage, or grammar
- Color palettes and fonts that are just a little bit off
- Images like signatures or headers that are blurry
- A failure to properly use industry lingo
- Misidentifying company departments or workers
- An address from a free email service provider like Gmail
- Emails and landing pages that use unfamiliar formats
A recipient that is alert to cybersecurity dangers, especially phishing scams, can generally easily detect that the message isn’t really from their company’s internal IT department, or even a legitimate firm at all – saving their company from an expensive, messy disaster.
Keep up your guard
How are the cybercriminals getting this data? Unauthorized access can typically be traced to an insider threat like phishing or password compromise. By upgrading (and updating) security awareness training, companies can reduce the chance of insider threats like these giving cybercriminals the in that they’re looking for to deploy ransomware or steal data.
It’s not just malicious insiders that need to be considered when planning a data loss prevention strategy. Well-intentioned but careless employees can easily cause as much if not more damage as a malicious insider – human error is the number one cause of data loss. These solutions mitigate the risk of an employee’s error resulting in a data breach.
How can businesses be sure that every user on their network has their eyes open for those little mistakes? Through consistent, effective security awareness and phishing resistance training. Security awareness training can lower a company’s chance of experiencing a damaging cybersecurity incident, but this only works if it’s regularly refreshed. A recent experiment found that subjects only retain the awareness created by phishing resistance training for about four months before improvements are lost.
Learn from 2020 and move on
Cybersecurity will never be the same after the events of this year. The global pandemic and economic fallout have left the Dark Web more dangerous than ever before. This means it is crucial to analyze everything that may have gone wrong in the past, especially at the intersection of cybersecurity and COVID-19, in order to be prepared for potential cybersecurity challenges ahead.
Although 2020 has been a banner year for cybercrime, especially ransomware, companies that have invested in digital risk protection are better able to face the growing number of cybersecurity threats. From security awareness training to backup and disaster recovery solutions, organizations need to take a comprehensive approach to security to ensure there are no weak links in their security efforts.
Mike Puglia, Chief Strategy Officer, Kaseya