The attack started because an employee clicked a spearphishing link, a fake link that opened the door to the hackers. They accessed the IT and then industrial networks. The immediate effect was that hackers encrypted data on the victim's networks. The company was unable to read real-time data, prompting a shutdown lasting two days. Both IT and industrial processes were attacked.
Whereas in the past attackers would send phishing scams from email accounts external to an organization, recently there’s been an explosion of email-borne scams in which an attackers compromise email accounts within organizations, and then uses those accounts to launch internal phishing emails to fellow employees – the kind of attacks known as lateral phishing. FBI data show that these cyberattacks caused more than $12 billion in losses between 2013-2018. And in the last two years, the attacks have resulted in an increase of 136 percent in losses.
Privacy laws, like any other infosecurity control, have exploitable vulnerabilities. For social engineering purposes, GDPR has a number of real benefits. Firstly, companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply, so fear of failure and time are strong motivating factors.
From the bedroom of the Leicestershire home he shared with his mother, Kane Gamble used “social engineering” to access the personal and work accounts of some of America's most powerful spy chiefs.
As banks have upped their security systems, fraudsters have realised mobile phone security is much easier to get around, and can be the key to accessing a bank account. The cases should serve as a warning to anyone who uses their mobile phone to verify themselves to their bank – by one-time passcodes or similar.
Often overlooked by information security providers, impersonation attacks are an easy and effective way to gain trust through a combination of social engineering and technical means.
Technology breeds crime—it always has and it always will. There’s always going to be people willing to use technology in a negative, self-serving way. So today it’s much easier, whether it’s forging checks or getting information.
LinkedIn is a treasure trove of easily accessible personal information and company IT data. Unbeknownst to most of the employees who post their information on LinkedIn, any hacker looking to wreak havoc on a company’s highly sensitive, business-critical data could find his or her point of entry using this ubiquitous business networking forum.
Twitter is an incubator of phishing thanks largely to the prevalence of typos and shortened URLs that make it hard for users to know exactly where links are taking them.