Ed.Note: This is the latest in a series of articles. Cybersecurity: Tips from the fieldby our friends at Senior Enterprises, a boutique provider of IT, cybersecurity and digital forensics services.
The state of phishing in 2024
It may have a strange name, but we enjoy reading this report from Proofpoint every year. This report is based on a survey of 7,500 end users and his 1,050 security professionals. According to this year's report, 71% of users have engaged in risky behaviors such as reusing or sharing passwords, clicking links from unknown senders, and giving their login credentials to strangers. I admit it. 96% of them knew they were taking a risk. If this doesn't convince you that your employees need to undergo cybersecurity awareness training at least once a year, we don't know what will.
More than 1 million attacks are launched every month using the MFA (multi-factor authentication) bypass framework Evil Proxy, and 89% of security experts believe that MFA provides complete protection against account takeover. I am. Our own view is that while MFA is not a perfect solution, it is much better than no MFA, and the more secure MFA the better.
69% of organizations have been infected with ransomware. It remains an epidemic. For about $35, any dumb person can buy a Ransomware-as-a-Service toolkit and wreak havoc.
Lessons learned from the current state of phishing
One of the most valuable lessons is that most cybersecurity awareness training (thankfully, 99% of respondents said they received such training) covers remote work, password hygiene, and password hygiene. Less than a third of training programs covered all three major elements. and internet safety.
Top topics for training were malware, Wi-Fi security, ransomware, and email phishing. While all of these are important, they do not cover the full range of risks. Where was the phishing using SMS texts? Where was the deepfake audio and video used? Where was the social engineering of employees?
We were surprised to see that only 34% of respondents conducted a mock phishing attack. Simulating phishing attacks can be very useful not only to educate your employees, but also to identify which employees are engaging in the most risky behavior.
Emerging threat landscape
Unsurprisingly, many of the attacks were phishing, business email compromise (BEC), and ransomware. There is no doubt that all of this is an ongoing issue.
However, there are growing threats to deal with. One is Telephone Oriented Attack Delivery (TOAD), where the message appears to be harmless and contains only a phone number and some false information. Once the victim calls for help on the listed phone number, the attack chain begins.
Rest assured, cybercrime call centers operate all over the world, convincing victims to grant remote access, divulge sensitive information and credentials, or infect organizations with malware. According to Proofpoint data, an average of 10 million TOAD messages are sent each month.
Attacks are increasingly using sophisticated techniques to circumvent MFA. How do they work? Using a proxy server to intercept her MFA token would allow the attack to bypass the security provided by one-time codes and biometrics. This is a big issue, as 89% of cybersecurity professionals still consider MFA to be a “silver bullet” to prevent account takeovers.
Finally, the use of QR codes has increased (just in case you were wondering, we've been preaching for years that when you click on a QR code, you don't actually know where it goes) . With so many people clicking on QR codes all the time, we think it's only getting worse. They simply don't recognize the danger. Clicking on a QR code can lead to a phishing site or download of malware.
AI is now part of the threat
Artificial intelligence (AI) facilitates cyberattacks. First, you're less likely to see all the misspellings and grammar mistakes. Are all AIs transparent about what happens to the data they input? In many cases, they are not.
There is now a connection between BEC attacks and AI, as attackers use AI to create more persuasive and personalized emails in many languages. According to data from Proofpoint, an average of 66 million targeted BEC attacks occur each month.
More bad news?
of course! Microsoft is the most abused product for malicious email, but companies like Adobe, DHL, Google, AOL, DocuSign, and Amazon have similar issues. We are particularly troubled by phishing emails purporting to come from DocuSign and Amazon.
And our old “friend” ransomware is still a big problem, with 69% of businesses (up 5% from last year) facing a ransomware attack. 96% of people who have suffered a ransomware attack currently have cyber insurance. This certainly suggests that cyber insurance is a must-have for all businesses, including law firms.
The last word
Brian Krebs, a well-known cybersecurity expert, said:If you didn't go looking for it, don't install it.” – a good safety rule.
Sharon D. Nelson (snelson@Senseent.com) is a practicing attorney and president of Sensei Enterprises, Inc. She is also a past president of the Virginia State Bar, Fairfax Bar Association, and Fairfax Law Foundation. She is a co-author of her 18 books published by her ABA.
John W. Simek (jsimek@Senseent.com) is Vice President of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (CEH), and a nationally recognized expert in the field of digital forensics. . He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia, office.
Michael C. Maschke (mmaschke@Senseent.com) is CEO/Director of Cybersecurity and Digital Forensics at Sensei Enterprises, Inc. He is an EnCase Certified Examiner, Certified Computer Examiner (CCE #744), Certified Ethical Hacker, and AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.
