We live in a golden age of cybercrime, with scammers finding new ways to cheat us every day. And we’re not talking about pocket money – fraudsters inflicted $8 trillion USD in damage via cyber attacks in 2023. If cybercrime were an economy, it would be twice the size of Germany’s.
So, how can you keep your team safe? What can you do to avoid new threats like AI-powered deepfakes or WhatsApp spimming, as well as classic phishing scams and CEO fraud?
Join us for a tour of six of today’s biggest cybersecurity threats – and learn how the right cybersecurity awareness platform can help you stay safe.
#1: Phishing
Phishing continues to be the foremost cyber threat, with scammers finding new ways to compromise people via email and other platforms in order to access sensitive data or funds. These threats have only grown in recent years, with estimates suggesting attempted phishing attacks have increased in volume by 175% over the 2021-2023 period.
Typically, phishing campaigns target a large number of individuals in the hopes of successfully tricking a small percentage of recipients. However, with spear phishing, scammers target high-value individuals with highly tailored (and highly convincing) campaigns designed just for them.
Examples of common phishing attacks include scammers impersonating tech support members, investment advisors, family members, or even company CEOs (more on that later).
How to keep your team safe
Here are some tips to help you and your team avoid phishing scams:
- Look out for weird contact details: Scammers often impersonate people using variations on their legitimate contact details, e.g. Trusted.Person@gmaail.com. Always check the details.
- Never give out sensitive information: Don’t ever divulge login details, passwords, multi-factor authentication codes, or other sensitive information – even to someone you trust.
- Don’t trust urgent messages: Scammers often try to catch people out with urgent messages during moments of downtime, like evenings or weekends. Stay alert and verify the situation.
Another way to stay ahead of scammers? Run simulations to test your team with world-class phishing attempts, and make sure they know what to look out for. Then, if anyone fails these tests, you’ll know they need extra help. Get started for free today.
#2: AI-powered deepfakes
Recently, we’ve seen the rise of some incredible AI tools, including audio and video deepfakes. As impressive as these are, they give rise to a new set of fraud risks, with scammers finding ways to impersonate our colleagues, loved ones, and even our political representatives.
For example, software platform Retool recently experienced a data breach in which a scammer sent an employee a spoof of the company’s internal ID portal, then called them using a deepfake of an IT team member’s actual voice. They convinced the victim to provide a MFA code, which they then used to access a number of Retool customer accounts. Scary stuff!
How to keep your team safe
AI-powered audio and video deepfakes can be tricky to detect. Here are some ways to stay safe:
- Agree to a safe word or password: You should agree on a safe word or password with your team (and your immediate family, too). That way, if you’re ever in doubt about who you’re talking to, you can verify.
- Beware of cryptocurrency requests: Crypto is harder to recover than regular currency, making it perfect for fraudsters. Any requests for crypto payments should be a big red flag.
- Manage your digital footprint: Deepfakes are based on sample clips of audio and video, so pay attention to your public digital footprint and be mindful of what you share with strangers.
#3: CEO fraud (Business Email Compromise)
We’ve seen a lot of tech developments lately, but one thing has stayed the same: CEO fraud – also known as Business Email Compromise (BEC) – is still a huge risk. Scammers are finding new ways to pose as company CEOs, pressuring employees to transfer money, pay fake invoices, or hand over sensitive company data.
These scams often use social engineering to build trust, including monitoring social media activity, spoofing mobile numbers, and even creating elaborate fake email chains.
For example, in 2023 Europol cracked down on an international syndicate of scammers conducting a sophisticated CEO fraud campaign, alleging that the group had scammed a Parisian real estate developer out of €38 million with a series of bogus acquisition payment requests.
How to keep your team safe
CEO fraud is a big deal for companies everywhere. You and your team can lower your risk by:
- Being wary of urgent situations: As with phishing, CEO fraud scams often create urgent situations to pressure people into complying. Take a breath and check the details.
- Treating personal email addresses as a big red flag: If your CEO ever reaches out from what looks like their personal email account, be extra careful – this is a common sign of fraud.
- Side-channel: If you’re ever in doubt about whether you’re speaking to your actual CEO or a fraudster, get in touch with your CEO via a side-channel. Trust us – they’ll thank you later.
Learn more: Your Boring Cybersecurity Training is Only Helping Scammers – Here Are 4 Ways We Can Do Better
#4: WhatsApp scams (spimming)
WhatsApp is now the world’s most popular instant messaging platform, with its two billion users exchanging 100 billion messages every day.
Can you guess who else loves WhatsApp? Scammers!
In 2023, we saw a huge rise in fraudsters using WhatsApp (and other instant messaging platforms) to scam people with bogus crypto investments, phoney job offers, catfishing campaigns, and classic phishing scams. You’ve probably seen some of these yourself – and if your team uses WhatsApp in a professional context, you need to be aware of the risks.
How to keep your team safe
Before you click that green button, here are some things to remember:
- Check your privacy settings: WhatsApp offers users ways to protect their data, limit the personal information strangers can see, and stay safe on group chats. Be sure to take a look.
- Be careful with groups: WhatsApp groups are high-trust environments, making them a goldmine for scammers. Keep group invite links private, and monitor your chats to stay safe.
- Don’t trust strangers – ever: Only connect with people you actually know. If anyone asks you to transfer money or share sensitive information, block them and report the scam.
#5: Malware and ransomware
From the classic ‘ILOVEYOU’ virus through to today’s more sophisticated programs, malware is still a major threat. And while our protective layers of security are already identifying over 300,000 instances of malware every day, there is still a lot more work to do to stay safe.
The threat of malware also includes ransomware, like the attack from the ‘Scattered Spider’ network on MGM Resorts hotels and casinos in September 2023. This attack took a number of MGM properties offline for multiple days, causing millions of dollars in damage and disruption.
How to keep your team safe
Here are a few tips to protect your team against malware or ransomware attacks:
- Use a good virus scanner: Most email platforms now offer automatic virus scanning, so be sure to use it everywhere – and always report scams to help the system improve.
- Don’t open unknown attachments or click on weird links: Even when these come from trusted sources, the risk isn’t worth it. If in doubt, don’t click!
- Beware of ‘vishing’ attacks: The MGM ransomware attack all started with a ‘vishing’ (voice phishing) attack. Always be wary of attempts to access sensitive information over the phone.
- Sound the alarm if you’ve been targeted: Cybersecurity is everyone’s business – especially your IT team’s. If you think you’ve been targeted by malware, let them know right away.
#6: Third-party vulnerabilities
To finish our tour, let’s look at an increasingly common threat: third-party cybersecurity vulnerabilities. This isn’t a specific type of scam, but a wider set of threats organizations need to be aware of – especially companies operating under the EU’s NIS2 cybersecurity framework.
From October 2024, NIS2 will require many EU companies to perform a greater range of due diligence on the cybersecurity practices adopted by their third-party suppliers and service providers. If they fail to do so, they can face fines, legal action, and other penalties.
Specifically, NIS2 requires companies to assess supply chain partner compliance with baseline cybersecurity requirements, including risk analysis, incident response planning, the use of cryptography and encryption, and other measures. Where companies identify any third-party vulnerabilities, they must address these with appropriate security measures.
These checks aren’t just about legal compliance – they also ensure a shared commitment to cybersecurity across your business network. For example, the Okta 2021 data breach was ultimately a result of security vulnerabilities on behalf of Sykes, a customer support provider contracted by Okta. This shows why active third-party cybersecurity management is so crucial.
How to keep your team (and wider business network) safe
Third-party cybersecurity checks can help keep your business network safe. Be sure to:
- Review third-party protections: Consider the strength of your supplier and service providers’ cybersecurity measures, and whether these could give rise to any vulnerabilities.
- Take active steps to address these vulnerabilities: If you identify any vulnerabilities, you must take active steps to address these – especially when it involves customer data.
- Make a NIS2 compliance roadmap: Companies covered by NIS2 may need to expand their risk management systems or expand their processes for managing third-party vulnerabilities.
For more guidance, be sure to download our free NIS2 compliance checklist.
Conquer cyber threats with great awareness training
Scammers are always trying to get the better of you. And unfortunately, your team is likely the weakest link: studies show that 85% of all successful data breaches involve human error. That’s why it’s so important to build a strong culture of cybersecurity awareness.
At Riot, we uses conversational training to teach your team about the latest cybersecurity threats, including AI-powered deepfakes, WhatsApp scams, and more. Even better, you can get a clear view of your awareness levels, knowing who your champions are, and who needs more help.
To find out how Riot can help you and your team stay on top of these six threats with unforgettably fun training, get in touch with one of our experts today.