Submitted by: Martin Straub

You might be asking yourself if you need to read yet another article about cybersecurity.  If you consider cyberthreats to be an evolving game of warfare, like the criminals do, then yes, the more you can educate yourself and employees about likely threats, the better your defenses. 

The sad truth is that cyberthreats are here to stay.  With the rise of AI and persistence of bad actors, the risks continue to evolve and be more sophisticated.  The good news is that you don’t need to call in an army of cybersecurity experts for defense or even spend more money on more tools; arming yourself with knowledge and using caution continue to be among the most effective techniques for protecting your organization.

In interactions with our clients, we continue to see an increase in the sophistication of social engineering and email manipulation.  Those techniques, combined with a lessening of the effectiveness of multifactor authentication, have contributed to increases of fraud, mostly perpetuated through email communication.

What is social engineering?

Social engineering is a form of cyberattack that exploits human psychology and trust to manipulate people into divulging sensitive information, clicking on malicious links, or transferring money to fraudulent accounts. Social engineering attacks often rely on email as the main channel of communication, as it is easy to impersonate legitimate senders and create a sense of urgency or authority.  An increasing trend is domain spoofing, often undertaken after a bad actor has breached the email account and been able to access communication between two individuals.

How does domain spoofing work?

One of the most common and effective techniques of social engineering is domain spoofing, which involves creating a fake website or email address that looks identical or very similar to a real one. In a simple example, a hacker might register a domain name that differs from the original by one letter, such as paypa1.com instead of paypal.com, and use it to send phishing emails to unsuspecting users. The emails might ask the recipients to verify their account details, reset their password, or confirm a transaction by clicking on a link that leads to the fake website. Once the users enter their credentials or payment information, the hacker can access their accounts and steal their money or data.

A more sophisticated example occurs after a breach of an individual’s account.  The bad actor will look for communication that indicates a transactional relationship between the two parties then create a look-alike domain and begin interacting with one of the parties using an account (and email signature) that almost exactly resembles the legitimate account. This technique often also involves creating mailbox rules that disguise legitimate messages, making it more difficult to understand that a breach has occurred.  However, because most of us now use multifactor authentication, many people have their defenses down, assuming that their accounts are unlikely to have been compromised.

Why is multifactor authentication not enough?

Multifactor authentication (MFA) is designed to prevent unauthorized access to accounts, even if the password is compromised. However, MFA is not 100% foolproof, as hackers can still bypass it using various methods. For instance, hackers can use SIM swapping, which involves transferring the victim’s phone number to a new SIM card and intercepting the verification codes sent to their phone. And more commonly recently, hackers are using malware or keyloggers to capture the codes or security tokens from the user’s device or browser. Another way hackers can defeat MFA is by exploiting the human factor, such as convincing the user to disable MFA, share their codes, or click on a fake MFA prompt. MFA fatigue is another method of attack, whereby the attacker sends MFA requests to a user who accepts the prompt without questioning its origination source.

How to prevent social engineering scams?

Social engineering scams are becoming more sophisticated and prevalent, as hackers constantly adapt to new technologies and security measures. Therefore, it is important for businesses and individuals to be aware of the risks and take preventive actions. Some of the best practices to avoid falling victim to social engineering scams are:

  • Always carefully check the sender’s email address and the domain name of the website for any discrepancies or typos.
  • Never click on links or attachments from unknown or suspicious sources and verify the authenticity of the sender before responding to any requests.
  • Use strong and unique passwords for different accounts and change them regularly.
  • Enable MFA whenever possible, and do not share or reuse verification codes.
  • Be wary of any email that asks for personal or financial information or creates a sense of urgency or pressure.

The most effective technique continues to be awareness.  Educate yourself and your employees about the latest trends and techniques of social engineering. Don’t assume that new employees are familiar with risks; often they are most susceptible to threats as they are unfamiliar with other employee names or vendors and are eager to please in their new roles.  Reinforce with all employees and new hires the importance of questioning all unfamiliar email or financial requests or reporting any suspicious messages to their IT support for further investigation.

Cybersecurity threats are an on-going and evolving concern. If you would like to learn more, or provide training for your team, we can help. We work with businesses to provide information and training to ensure that all employees are wary of threats and know how to act should they suspect a scam. Contact SimplePowerIT at (509) 433-7606 for a free initial consultation.

Categories: Newsletter

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Contact Helpdesk