News stories about data leaks or cybercrime have taken up even more time in the newspapers recently. With more people working remotely, public and private organizations have become even more vulnerable to social engineering scams such as phishing.
Criminal groups have been operating various forms of cyber attacks. In this way they can exploit different vulnerabilities to accomplish their goals, such as hijacking information or embezzling funds.
But it is not only large organizations that are subject to this type of threat. In addition to them, small and medium-sized organizations, as well as public institutions and even courts, have also become targets.
The techniques used by criminals to infiltrate systems have become increasingly elaborate. Through messages and e-mails, they pose as major brands or well-known people in order to steal sensitive data and also apply scams.
But how can this affect your organization? You know that tempting ad for a travel promotion that you received in your corporate email and clicked to see if it was real? This can open your organization's doors to criminals.
Phishing
Threats related to social engineering are not new. This type of scam was already practiced and grew even more during the pandemic. A survey by Febraban (Brazilian Federation of Banks) indicated a 165% growth in this type of scam in the first half of 2021, compared to the same period last year.
Also according to Febraban, the most common social engineering frauds are WhatsApp scams and phishing. According to the federation, phishing scams had a 26% growth in the first six months of last year.
Phishing is a messaging campaign that seeks to trick users into collecting credentials, or gaining access to systems and directories. This type of strategy is always among the main vectors of cyber attacks.
Messages designed according to current themes, or a fake communication about an improper access to your account, can be the gateway for criminals.
Since the start of the pandemic, Covid-19 related communications have been circulated with the intent of stealing information. Fake forms for registration at vaccination posts have been widely used to mislead people.
In this way, these social engineering strategies collect important information that can be used to carry out cyber attacks, or gathered and exposed in forums.
Social media has also become one of the main means employed by criminals to carry out phishing scams. By posing as customer service channels, scammers can get the victim to provide personal information, which can later be used to pull off scams.
Within the corporate context, criminals can send e-mails, and even messages on social networks such as LinkedIn, to share malicious links and steal sensitive data that can be used to carry out attacks.
Since phishing attacks can be specifically targeted to collect data from specific organizations, known as spear phishing, it is in the interest of organizations to prevent people from falling victim to these scams.
As such, organizations are investing in simulations and constant training to raise awareness among their users. Even investing in tools that develop layers of protection and contain suspicious messages, it only takes one person to fall for this type of scam for security to be compromised.
For this reason, it is very important to make people aware. As well as the use of simulations, training, and questionnaires to bring digital security issues closer to everyday life.
Only by adopting efficient strategies can organizations deal effectively with attacks. Criminals keep up to date and every day use new technologies to execute their attacks.
Scams such as phishing can be the gateway to executing ransomware attacks, or other cybercrimes. Criminals are currently operating ways to develop services to facilitate these operations.
SMishing
As we said earlier, criminals use different methods to trick people into achieving their goals. Among them is smishing, a phishing technique that uses text messages.
One of the main ways used by criminals is to send fraudulent text messages related to delivery. Other common lures include text messages that carry false information related to vaccines, financial aid, and link victims to websites that look like official channels of governments, companies, and institutions.
Following the same logic as phishing, smishing exploits people's naivety and carelessness. By clicking on malicious links, victims open the door for criminals to carry out cyber attacks.
Vishing
Vishing is the verbal version of phishing. Typically this technique is used through phone calls, creating pretexts to obtain information from the victim.
Vishing usually starts where phishing left off. For example, you are looking for some type of product on the Internet, and you enter a site that is not completely secure.
Your interaction with the links on this site attracts the attention of a cybercriminal, who moments later talks to you on the phone. During the conversation he convinces you to provide your credit card details. Usually you only realize that you have been a victim of a scam days later.
QR Code
This type of phishing scam started to become even more prominent last year.
QR codes, black and white matrix codes that are readable by cell phone cameras, became more popular during the pandemic. Therefore, companies saw an opportunity to engage consumers and provide services during the pandemic.
One of the biggest examples is the food industry, where restaurants have abandoned paper menus and started allowing customers to scan the codes with their mobile devices.
However, many of the sites that these QR codes direct people to are operated by third-party vendors. As such, this type of service can connect phones to a malicious destination, such as clicking on a malicious link.
Thus, people can simply assume that the code and site are legitimate and fall for scams without even realizing it.
Some attackers even overwrite the real codes of the sites, modifying the targeting of users. As a result, the victim falls into a fake page that transmits information, or even directs payments, to the cybercriminals.
Furthermore, applications with malware can be installed without the user noticing, infecting the cell phone and stealing various data.
Deepfake
Do you know what a Deepfake is? Deepfakes use artificial intelligence to imitate the image and voice of real people. This kind of technology has also become part of phishing attacks in recent years.
In order to trick people, criminals use this type of technology to impersonate other people and convince victims to provide confidential data.
A great example is the use of this kind of technology to trick employees of companies that work remotely. These people become targets because they have virtually no face-to-face contact with other employees and can be tricked through extremely realistic voice imitation.
Fake accounts
This is one of the favorite methods of cybercriminals. Because of the ease of creating a fake account and the low cost of maintenance, criminals take advantage of this to carry out various types of scams.
These profiles use the visual identity and reputation of major brands to trick the victims. For example, a consumer makes a comment on the page of a major brand, this draws the attention of the criminal, who uses a fake page to make contact with this person and apply a scam.
In addition to classic phishing, criminals can also engage in racketeering, blackmailing victims, and even other types of scams to take advantage of victims.
Criminals can use these fake profiles to spray phishing links. In addition, they use terms to lend credibility to the fake profiles, making people really believe that they are dealing with the real brand.
Fake News
The manipulation of facts and the sharing of fake news has been the subject of much debate these days. Typically, many current affairs are distorted and manipulated to distribute baseless information, which often uses unreliable sources to disseminate controversial and even false information.
People consume information daily, and with the popularization of the Internet, the possibility of receiving news in real time has become much easier. However, there are negative aspects to the ease of sharing.
It is not common for people to check the sources of news. In this way, when someone receives an urgent news item that deals with current affairs, they are likely to believe it and not seek to question that source.
Thus, criminals use this fake news to spread malicious links, which can allow victims' data to be stolen. In this way, cybercriminals use fake pages that simulate famous news portals to generate even more clicks.
To avoid this kind of problem, people need to be made aware of how to identify this kind of scam. In addition, they need to realize the problems of sharing fake news and the consequences it can bring to society, as well as the cyber risks.
Elections
This is an election year in Brazil and this should translate into an increase in the number of fake accounts and other forms of spreading fake news.
To ensure a democratic electoral process in the 2022 elections, the Brazilian bodies that control the ballot are looking to fight against fake news.
To fight against misinformation, large corporations such as Google, Twitter, and Facebook, have partnered with checking agencies. In addition, they develop technologies to recognize false information and prevent it from being shared.
However, many technologies developed for social networks also rely on people and moderators. Many reports of content that shares false information go unheard, allowing such posts to remain on air for long periods of time.
These platforms are also accused of not acting effectively in other countries. Thus, many tools to combat the spread of false information are not available to all users, which can impact nations differently.
Thus, it is the role of society as a whole to combat misinformation. From organizations, public and private, to government agencies and the general population, it is necessary to stop feeding misinformation.
Thus, fake news can influence elections in many countries. Added to the information dissemination capacity of social networks, it is very difficult to control this kind of information from circulating.
It is necessary for major corporations to develop methods to quickly identify this false information, and prevent it from being shared and even viewed by other users.
Events
As we know, this year we will have one of the biggest sporting events in the world, the World Cup. In addition, the Winter Olympics in Beijing also attracts many tourists and consumers.
All this is a great opportunity for cybercriminals to apply opportunistic scams. Whether in direct attacks on organizations, sponsors, participants, or fans, everyone becomes a target for criminals.
Thus, large events can be a great lure for criminals to take advantage of the brands' credibility and apply scams. They work by sending fake links and messages, so many consumers can fall victim to phishing scams that seek sensitive information.
Want to learn more about the main types of attacks that focus on social engineering? Download our social engineering report.
