A pair of new social engineering scams pose increased threats to your business. One preys on our desire for light-hearted online entertainment. The other expands the risk that criminals will steal your sensitive data.
Here are two posts (reprinted with permission) from the blog of KnowBe4, a leading cybersecurity defense company.
Original posts authored by Stu Sjouwerman, CEO of KnowBe4
“We’ve all seen them – quizzes on Facebook asking everything from which Harry Potter character are you, to what state were you born in, to what was your first pet’s name. It seems that none of the people answering these questions saw the scene in the movie Now You See Me where the main characters tricked Arthur Tressler into divulging personal information to be used later against him.
According to security vendor Avast, the new wave of social media quizzes may very well be intent on doing the same thing. “They’re meant to seem so light and fluffy that anyone looking for a boredom-killer might be amused by them. And that’s the point. The creators of these quizzes want them to appear meaningless and harmless. They want everyone to engage whimsically with them. Because in truth, many are phishing attempts at your personal data.”
Because of the seemingly innocent (and entertaining) nature of the quizzes, threat actors using such tactics can easily capture information that is often used as the source of passwords or password reset questions.”
Succession Planning is key to your law firm’s future. Having a succession plan doesn’t mean you’re ready to retire or need to stop work today. It means having a blueprint for your future and a process for transitioning ownership smoothly, seamlessly and profitably. Learn more about succession planning – and how you can design a plan that’s right for your practice – by attending our upcoming live webinar, Success in Succession Planning. Our guest speaker is Camille Stell, CEO and founder of Lawyers Mutual Consulting & Services, who (literally) wrote the book on Designing a Succession Plan for Your Law Practice. One hour of CLE credit has been applied for and is expected to be approved. Register here.
QakBot Expands Business Email Risk
“Representing a new evolution of banking trojan, QakBot proves to be a formidable adversary against security defenses with its’ ability to steal emails – your users.
“The most effective tools a threat actor can have are context and credibility. These are the foundational elements of a really good social engineering scam. Historically, threat actors have simply used online services such as LinkedIn to identify individuals with specific roles in a target victim organization, and any public-facing detail (e.g., social media, press releases, etc.) to craft believable social engineering.
But according to security researchers at Kaspersky, the newest version of QakBot takes the discovery portion of building a social engineering scam to a whole new level. In addition to the ability to steal keystrokes cookie, browser-based passwords, and login credentials, QakBot now has the ability to exfiltrate email content from the infected endpoint. This detail can be easily used in future attacks to establish credibility, commit fraud, and more when used against those in the initial victim’s contact list. This new ability to capture email may be the reason Kaspersky is seeing QakBot’s use is up 65 percent compared to last year.
If you add a QakBot-based attack with a Business Email Compromise attack (which organizations already have as much as an 85 percent chance of experiencing weekly), the added degrees of context and detail potentially extracted from stolen emails could make a malwareless attack all but undetectable to its’ victim.”
Security Awareness Training will help keep employees vigilant against such social engineering tactics, helping to minimize your organization’s threat surface and keep attacks from being successful.”
If you practice in Wisconsin, Texas, Minnesota, Ohio, Illinois, Indiana or Michigan, you can stay on top of ethics and risk management news by being a member of Alta Pro Lawyers RPG. You’ll get access to free webinars, the Pro Practice Playbook, Reminger ProLink, Ask the Risk Pro and more. Here’s how to join.