Is our love for convenience denting the cybersecurity armour of the organizations we work at? This and other matters were discussed with ProofPoint’s Jennifer Cheng, who also shared about Singapore’s PM Lee not spared from being deepfaked to promote investment scams.
Employees need to understand they play a significant role in their organization’s cybersecurity defence, and that a single risky action can lead to a breach or disrupt business. This was one of the conclusions that ProofPoint arrived at after their 2024 State of the Phish report that had indicated a love for convenience sees 7 in 10 users taking risky actions online despite 99% understanding that those actions might compromise their organization’s cybersecurity.
Jennifer Cheng, Director of Cybersecurity Strategy for Asia Pacific and Japan, added, “These findings from the 2024 State of the Phish report prove that security awareness remains essential to every organization’s security strategy, but it cannot be the sole consideration in protecting people from cyber threats.”
When asked, Jennifer explained, “There isn’t necessarily anything that causes inconvenience in the traditional sense.
“Instead, this convenience stems more from people taking the easiest route possible and using the least amount of effort to get work done or achieve personal gain.”
Some examples include scams where threat actors send victims a phishing link via email or SMS promising discounts or good deals on products. In FSI and banking, there have been cases where victims are tricked into believing they are receiving a message from the bank about mysterious transactions made with their account. “But they do not take time to verify the link provided before entering their password and details into a fraudulent website,” Jennifer explained.
Raising vigilance against social engineering
Social engineering is a tactic that Proofpoint threat researchers have observed in almost every single threat in today’s landscape – especially those that involve digital communications.
According to the Annual Scams and Cybercrime Brief 2023 by the Singapore Police Force (SPF) – the top 5 contact methods bad actors use are social media platforms like Instagram, Facebook, or TikTok, messaging platforms like Telegram or WhatsApp, via phone calls, over online shopping platforms like Carousell or Shopee, and on various websites.
Scams involving banks / investment scams typically see the most financial losses compared to other types of scams. In the same report by the SPF, a total of SGD204.5 million was lost to investment scams.
However, the retail industry also needs to be wary as eCommerce scams are the second most prevalent scam in the country. This accounts for about SGD13.9 million lost in 2023. While this is significantly less than the amount lost to investment scams, the total number of cases reported is 2.4 times higher at almost 9,800 cases.
Connivingly convincing deep fakes
When asked about the infamous incident of the Hong Kong finance worker who was duped into releasing a huge amount of funds after sitting in an online meeting with their colleagues, Jennifer conceded, “It’s definitely plausible that social engineering attacks involving deepfakes could increase. Deepfake technology is highly convincing and there is a risk that malicious actors may imitate the HK incident for other highly targeted attacks.
In fact, back in December last year there were deepfakes of Singapore’s Prime Minister Lee Hsien Loong as well as Deputy Prime Minister and Finance Minister Lawrence Wong promoting investment scams.
Be it third-party risk or social engineering or another method, deepfakes have a way to facilitate real data compromise and cyber attacks. Concern around suppliers potentially putting an organization at risk, are not unfounded. Equifax, Target, Home Depot, Marriott International, and Under Armour, are only a handful of organizations that have had data breaches due to supplier vulnerabilities.
First and foremost, organizations should aim to block these types of attacks from reaching the human in the first place. This means blocking attack vectors like business email compromise, or BEC, at the gateway or authenticating business email to prevent spoofing.
Jennifer pointed out, “Attackers are definitely using gen AI to create more convincing and personalised emails in multiple languages; Proofpoint data shows an average of 66 million targeted BEC attacks every month. We have also seen tremendous growth in BEC attacks in countries that predominantly do not speak in English.”
Design workflows that work
Jennifer believes that mitigating these risks starts first with visibility – visibility into human risk like understanding who is being attacked or exposed, how it risks the organization, and the potential impact upon it.
Security should be aligned with business objectives and user needs – it should not be an afterthought or create unnecessary barriers or operational burdens.
“Organizations need to design their security education and notifications to address relevant risks to the right users, at the right time. Threat intelligence also can help security teams tailor their training programmes and messaging. This will make users understand the nature, scope, and impact of the threats they face,” Jennifer said.
But, awareness of risks has to go hand in hand with workflows that enable secure actions.
Jennifer suggested also that organizations can design their protections and processes with convenience in mind.
“Employees need to work collaboratively across the organisation to understand user, department, and organizational goals, and then implement security controls that protect the organization without getting in the way. Security should be aligned with business objectives and user needs – it should not be an afterthought or create unnecessary barriers or operational burdens.”
In conclusion, people taking risky or careless actions might hurt organizations, others that remain vigilant and practice good cyber habits can also be our best defence. The right mindset, coupled with the right knowledge, awareness, and skills can go a long way to keeping organizations safe and such malicious attacks at bay.