Alex Laurie, Senior Vice President at the identity security product firm Ping Identity, writes of a cyber-threat trend that businesses must be vigilant against: highly personalised scams.
Aided by the emergence of enhanced technologies and tactics, nefarious threat actors have been able to compound their advantage and steal a march on their defensive counterparts in recent years. Malicious actors have the upper hand, and we’re on the brink of witnessing another evolution in their operations. I anticipate that this will involve increased sophistication and personalisation of scams—cyber criminals will focus less on mass scam attacks and rotate to more concentrated, targeted attacks on smaller groups. So, with this increased threat landscape and evolution in attack vectors, what should individuals and businesses do to safeguard themselves against evolving threat actors? This piece will delve deeper into these questions.
Understanding the scope
Despite the targeted nature of highly personalised attacks putting specific groups in jeopardy, the reality is that everyone is vulnerable. While most are familiar with the more common scams we have seen over the years – the Nigerian Prince or the ‘click here for a reimbursement’ messages – times are changing. Being able to spot and thwart blatant scamming attempts is no longer enough. Given the ease for threat actors to access and buy data on millions of individuals these days, their ability to leverage this information to personalise phishing and vishing scams is undoubtably increasing. This newfound ability to thoroughly know the people they target through the vast amounts of identity information online means they are becoming more successful too.
A typical method which is yielding results for nefarious actors is extortion attacks. Cybercriminals exploit personal details like—email addresses and passwords—to scam people into thinking their accounts have been hacked. Using the password as ‘proof’ of this hack, they then claim to have access to embarrassing information found on a device and threaten to share it with friends, families, and workplaces unless an extortion fee is paid.
The truth is these scammers often lack access to the information they say they have. Nevertheless, their demands are met as they exploit the fears of their victims. This demonstrates that such scam techniques, specifically targeting a group of individuals with accessible personal data, are being executed successfully. A report from business advisory firm, BDO, concurs that the amount of fraud in the UK increased to £2.3 billion last year, more than double the total recorded in 2022. Despite this, the actual level of fraud is likely to be significantly higher as many don’t report incidents.
Such scenarios are of great concern to businesses, particularly those with sizable workforces and substantial financial resources, as they are most at risk of being targeted by highly personalised scams. Whether trying to defraud a company’s finance department—like in the case with Arup, which transferred $25.6 million over 15 transactions to fraudsters behind a deep fake scam—or trying to damage or undermine the character of a CEO, organisations are at huge monetary and reputational risk. As such, they need to take protective measures now to ensure they don’t fall foul of this trend.
A security culture for defence
Defending against highly personalised scams begins with comprehensive cyber-security training across the company. All employees, regardless of level or job function, must be informed about the types of threats they might encounter as a primary line of defence. Teams should be cautious if an email or call appears extremely urgent, if someone demands payment, or if they request you to transfer funds using an untraceable currency like Bitcoin.
To underpin these efforts, security teams should scrutinise their fraud and cyber-security strategies as new fraud and scam trends surface, to better comprehend, thwart, and guard against these threats. This has the best chance of succeeding if a culture of secure identity is fostered through the implementation of preventative measures such as multi-factor or adaptive authentication. This will enhance the security of an organisation’s networks and data should a scammer gain access.
Organisations can never be totally sure what new wave of scams is on the horizon, so it is crucial for them to take proactive steps to protect themselves and their employees before it’s too late.
