It has been reported that the FBI says that complaints concerning online scams and investment fraud have now reached a record-breaking level. The FBI’s Internet Crime Complaint Center (IC3) received its six millionth complaint on May 15, 2021. According to the US agency, annual complaint volumes increased by close to 70% between 2019 and 2020. The most common crimes reported were phishing scams, schemes relating to non-payment or non-delivery, and extortion attempts.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Remote working has impacted not just legitimate workers, but also cybercriminals. So the rise in online scams and phishing attacks is not wholly unexpected. We\’ve seen a rise in the number of scams across email, SMS, and even phone calls during the last year, trying to take advantage of the pandemic. </p> <p> </p> <p>There is also a rising awareness amongst people in knowing how to report such scams. This isn\’t just restricted to the US, in the UK the NCSC received a million reports within two months of launching its suspicious email reporting service. </p> <p> </p> <p>It goes to show that people can play an important role in identifying and reporting fraud and phishing emails and organisations should make it easy for employees and customers to report any suspicious activity.</p>
<p>Even as parts of the world emerge out of the pandemic and some employees start to return to the office, hybrid work is here to stay in some capacity for a long time. This means that employees will continue to use unmanaged or personal devices from outside the traditional corporate perimeter, which makes them very difficult to monitor for risk that might be introduced into the organization. Employees expect to be able to access any resource from any location on any device. In the case of organizations that have a complex hybrid infrastructure, this creates a situation where they need to ensure the same level of secure access to everything. Cloud apps and infrastructure are built with integrations into modern identity and access tools, but lots of legacy on-premises solutions aren’t. Security teams need to be able to extend the security benefits of cloud-based infrastructure to on-premises resources. Attackers know that if they’re able to compromise an individual’s account or device through a personal channel, they could gain access to corporate data stored on the device or that the device is connected to through tools like VPN. </p> <p> </p> <p>The report notes that business email compromise scams, romance and confidence schemes, and investment fraud were all leading financial loss attacks. Mobile devices make the perfect reconnaissance target for threat actors due to the unique data present. Malicious actors can harvest contact lists, credentials, private conversations, and social media content from mobile devices in order to plan subsequent attacks. These phishing attacks can even be launched from a co-worker or friend’s infected device, improving the chances of success.</p> <p> </p> <p>Malicious actors are always looking for discreet ways to compromise individuals and organizations. While many of the attacks that the FBI cited in this report are carried out on personal apps like SMS, dating, and social media, a successful phishing attempt can go much further than that. Compromising an employee’s credentials enables them to gain legitimate access to corporate infrastructure and remain undetected. </p> <p> </p> <p>Their primary tactic for stealing credentials is to phish employees on mobile devices. Because smartphones and tablets are used for both work and personal reasons, employees can be targeted through multiple apps such as SMS, social media platforms, and third party messaging apps. The simplified user interfaces of a phone or tablet hides signs of phishing and makes them ripe targets for socially engineered phishing campaigns. However, just because the initial attack is carried out on mobile doesn’t necessarily mean that the attacker will stay there. Once they’re in possession of the compromised credentials, the attacker could attempt to log into any number of cloud apps or platforms like AWS, Google Drive, or Office365. </p> <p> </p> <p>Organizations need to ensure that no unauthorized users can gain access to their infrastructure. Implementing Zero Trust policies that assume no user or device can be trusted until proven otherwise will help mitigate this risk. Zero Trust Network Access (ZTNA) enables organizations to implement access policies that look at the context under which the device and the user, respectively, are attempting to access the corporate network. This could uncover anomalous activity such as a different login location than usual or malware lurking on a device before it connects.</p>