The state of people and cybercrime is reaching new heights. What do we mean by this? Cybercriminals are mastering the art and science of behavior manipulation. Phishing and other methods of social engineering are so prevalent that Proofpoint announced that 99% of all cyber-attacks need human intervention to proceed.
In order to counter this, security awareness training during 2019 now offers a human-centric approach to cybersecurity issues. Vendor KnowB4’s report into security awareness trends, found that 96% of organizations believe that phishing emails are the biggest security threat to their business. Analyst Juniper Research points out during 2019 that social engineering is a force to be reckoned with.
During 2019, the use of social engineering took center stage in the world of cybersecurity threats. You could say, it's now the biggest threat affecting the state of people and cybercrime. The 2019 Verizon Data Breach Investigations report makes the point. Indeed, the report shows that 32% of data breaches are initiated through phishing. And that 94% of malware incidents are delivered via email.
A report from FireEye shows an increase in the use of behavioral control to execute cybercrimes in 2019. The report findings includes:
Social engineering was also used in 2019 as a means to expand the range of cybercrime types. For example, social media platforms became a focus of some fraudsters. Social media-based crimes such as money mules were used to sell stolen data or perform fraudulent money transfers. Europol arrested 228 individuals, in a large international operation involving unwitting people recruited using social media platforms like Instagram to participate in cybercrime. Social media crimes, alone, are earning fraudsters a staggering $3.25 billion worth of revenue. In addition, 1 in 5 malware infections has a social media origin.
Because social engineering targets employees, 76% of organizations are now claiming that the “enemy within” is behind the biggest and most persistent security threats. This refers to employees clicking on phishing links, downloading malware-infected attachments and sharing passwords, etc.
Although there are countless examples of people being used to perpetrate cybercrime in 2019, these three really stick out as prime examples.
A CEO of a British firm handed over $240,000 to a fraudster believing it was a request from the head of the parent company. The attack involved the alleged use of a deepfake voice to trick the CEO, as part of a BEC cyber-attack.
In 2019, a number of U.S. cities and over 500 schools were targeted in ransomware campaigns. This included Lake City, Florida, who paid out $460,000 in a ransom payment. Most recently, New Orleans was placed under a state of emergency when hit with a ransomware infection. Social engineering techniques such as phishing and spear-phishing, still reign supreme in ensuring ransomware is successfully installed onto a network.
Transportation, storage and logistics were top target industries for cybercriminals in 2019. Amongst the techniques used to attack this sector were those that involved a human element. Mimecast found that impersonation attacks accounted for 26% of the total of detected threats. Many focused-on voice phishing or ‘vishing’ which uses social engineering to steal personal and financial information via telephone.
The evidence speaks for itself: social engineering works. Cybercrime with a social engineering element a.k.a. people will continue to be big in 2020. Phishing kits and other ‘Cybercrime-as-a-Service’ tools are making security attacks that manipulate human behavior, easier to perpetrate. We should expect this trend to continue into 2020. Anything that makes a cybercriminal’s life easier and increases the chance of a successful cyber-attack will quickly become a preferred method. The mix of accessible tools of the cybercrime trade, coupled with human fallibility when behavior is manipulated, is a perfect storm for malware infection and data breaches.
Deepfakes may well play an increasingly important role in social engineering during 2020 and beyond. The earlier mentioned BEC fraud involving a deepfake voice showed its dangerous potential. This cyber-threat is the ideal candidate for the application of social engineered and deepfake-enabled cyber-attacks. Another area that fits the deepfake mold is sextortion scams. These scams are increasing in numbers and, like ransomware, extort money from victims. Sextortion involves pretending to have a video of the victim in a compromising position. If deepfakes are used to create an actual fake video of the victim, expect ransoms to increase in dollar amount and be more successful in their extortion rate.
People are the ultimate tool in the cybercriminal’s arsenal. By using social engineering, social grooming and deepfakes, we should expect the human element of cybersecurity to remain a key part of cybercrime in 2020.