The Human Factor: Cyberattacks

Security

May 2, 2024

Organizations are more vulnerable to cyberattacks as users increasingly connect to more technologies, systems, and networks. An organization’s employees are typically the first line of defense against cyberattacks, making them prime targets for threat actors attempting to exploit human weaknesses. Threat actors first perform reconnaissance to gather information about a target organization and identify potential vulnerabilities, including details of key employees. They target legitimate and trusted individuals through various social engineering schemes, including email, text messaging, and phone calls, to initiate fraudulent requests to convince the target to divulge sensitive information, such as account login credentials.

The NJCCIC reported on various scams in the past in which threat actors targeted and impersonated executives, the human resources department, the information technology (IT) department, fellow employees, and more. Threat actors continue to target and impersonate legitimate and trusted individuals in an organization, including state and government employees. For example, threat actors impersonated representatives in the Attorney General’s Office in Oklahoma. They targeted Oklahoma citizens via fraudulent phone calls to inform them that they had won a monetary prize and had to pay a fee to obtain the award. The US Department of State also warned of a fraudulent scheme in which threat actors targeted payroll accounts via phishing, email account takeovers, and social engineering. The scheme first targeted annuity accounts linked to employees’ pension plans. The threat actors created and spoofed the annuitants’ email accounts to request changes to the direct deposit accounts. The scheme later targeted employees to obtain information and compromised employee accounts to change the bank deposit information. The threat actors redirected payroll deposits from the annuitants’ and employees’ bank accounts to attacker-controlled accounts.

Threat actors employed sophisticated social engineering techniques to target IT help desks to gain unauthorized access to systems. They made phone calls from an area code local to the target organization and claimed to be an employee in a financial role. The threat actors verified the impersonated employee’s identity by providing sensitive information, most likely obtained from professional networking sites, publicly available information sources, and data breaches. The threat actors claimed their phone was broken and convinced the IT help desk representative to enroll a new device in multi-factor authentication. After enrolling and gaining access to business resources, the threat actors targeted login information for payer websites to divert legitimate payments to attacker-controlled US bank accounts, which were later transferred to overseas accounts.

Threat actors also utilized social engineering and artificial intelligence to generate audio deepfakes in executive impersonation fraud campaigns to target employees. A LastPass employee received numerous phone calls, text messages, and a voicemail of an audio deepfake from a threat actor impersonating their CEO. However, the employee realized it was a scam and did not fall victim because the communications were conducted through WhatsApp, which is not a typical business platform. Instead of responding to the messages, the employee ignored the communications and reported the incident. This example highlights not just organizations becoming victims of cyberattacks but how victim organizations can potentially impact other organizations that depend on them as third-party vendors or critical infrastructure services.

Reported losses to business and government impersonation scams topped $1.1 billion in 2023, more than three times the amount reported in 2020. Due to the increased number of reported scams and losses and the emerging AI technology used in impersonation scams, the FTC recently finalized a rule on business and government impersonation so that it can file federal court cases seeking monetary funds for victims and civil penalties for rule violators.

Recommendations

  • Participate in security awareness training to help better understand cyber threats, provide a strong line of defense, and identify red flags in potentially malicious communications.
  • Do not respond to messages, click links, or open attachments from unknown or unverified senders, and exercise caution with emails from known senders.
  • Confirm the legitimacy of requests by contacting the sender via a separate means of communication, such as by phone, using contact information obtained from official sources before responding, divulging sensitive information, or providing funds.
  • Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information.
  • Use strong, unique passwords and enable multi-factor authentication where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Reduce your digital footprint so that threat actors cannot easily target you.