CISOs watch out: The most effective cyber attacks never touch your company's firewall
When CISOs think about cybersecurity for their companies, there are certain expectations. Password protection, firewalls, and continuously training employees on the latest phishing scams, to name a few. And to be sure, cyber risks like these are as relevant as ever. The persisting problem is, cybersecurity is like any defense contest: the burden (and therefore the disadvantage) is on the defender. You have to win every time, whereas an attacker only has to win once to cause major damage.
Frustratingly, cyber criminals have shown time and time again that they are actually quite gifted at creative approaches, thinking outside the box, and combining advanced tech with old school techniques. For instance, a suspicious-looking form letter email is easy to spot and delete. However, by purchasing even a small amount of personal data from the dark web, a smart criminal can craft a phishing email with just enough familiarity so that its target will most likely open it without hesitation. With enough patience and photoshopping, a malicious actor can send customers a message from their favorite store that leads them to a spoofed website solely created to steal their credit card information. Increasingly today, these attacks targeting customers are more prevalent.
As such, companies must be significantly more proactive in their approach to cybersecurity. And because increasing amounts of cyber attacks are in the form of brand impersonation, companies must move far outside their firewalls to find those threats and protect their customers. Let’s take a look at the evolving cyber threat landscape, why it’s getting more dangerous, and what companies can do to stop attacks that never even come near their firewalls.
Billions Are Spent Inside The Firewall -- But It’s Not Enough
In 2022, total spending on cybersecurity technologies increased to 71.1 billion U.S. dollars. This staggering amount continues to increase and illustrates just how much effort goes into protecting companies, their data, and their customers, not to mention governments. For companies of all types, from retail to information and financial services, the vast majority of this protection is structured to protect the concrete elements of the company. For example, firewalls protect against external network attacks. Virus protection works to keep devices clean. Two factor authentication protects employees who use poor passwords. To metaphorically put it, think of a company as a castle: billions of dollars go towards building walls, hiring soldiers and guards, digging a moat, and manning the gate. This is all important, necessary, and costs a lot, but it misses a completely different attack vector: targeting customers.
Although the more traditional, firewall-penetrating cyber attacks aren’t going away, newer evolutions of attacks are becoming more common, such as AI-driven voice impersonation, advanced social engineering ("advanced" because of the large amount of personal data purchased from the dark web or a legal data broker), and brand impersonation attacks. Each type of attack is devastating in its own right because it does not need to come near the company itself, such as its internal infrastructure or firewall, rather, it attacks its customers directly.
For companies, brand impersonation attacks can cause tragic damage, tarnishing their reputation and driving away their customers very quickly. As the name suggests, brand impersonation attacks use various techniques to impersonate a company via email, social media, a false website, and even by phone. These attacks use social engineering tactics to lure customers into providing sensitive personal information, such as bank details. To bring it back to our metaphor, if a castle’s security strategy is to defend its walls, then brand impersonation attacks are roving bands of highway robbers, capturing deliveries of gold well before they get to the castle walls.
Brand Impersonation Attacks Are Scarily Accurate
Brand impersonation attacks, also known as "brandjacking," can wreak havoc on a brand without going near employees or firewalls. They can involve brand hijacking, trademark piracy, phishing, domain and website spoofing, to name a few. Attacking customers by imitating brands is both effective and dangerous, as it involves little risk, promises a high reward, and threatens to erode customer trust in brands. Customers usually won’t think twice when one of their favorite brands sends them a personalized email asking them to click some sort of link, as these are regular interactions brands and customers often have, whereas a message from our friends or family asking to click a link may be out of character. With advanced social engineering tactics that use several pieces of personal information, and with black hat tools like WormGPT hastening the process, the danger to customers is far greater. More attacks are emerging in which the number of customers targeted are smaller, but they are crafted to imitate the brand well and provide enough personal information about the target to lower their defenses. Instead of poorly written mass phishing emails, bad actors are investing in their efforts, opting for quality over quantity.
Peter Peters, security manager at the University of Twente, explains how even small steps can lull customers and employees into a sense of trust. “The attacker will try to get a personal connection with the victim. The simplest way is to use your name in the email. Instead of just ‘Dear employee’, they will use your first and last name. Research shows this alone increases the chances of the attack succeeding by 50 percent.”
Matt Mosley, Chief Product Officer at PIXM, explains that other, more sophisticated methods, such as spoofed or hacked social media accounts, completely blind-sight their victims. “People don’t expect to see these types of malicious links coming in through avenues they trust. Traditionally, when you think of these other applications, you receive a link from a friend on Facebook and you click on it because you know and trust that person. ‘Surely, it’s a real link, it can’t be malicious!’ The same goes for receiving a message through Slack or a text from a friend.“
Effective Attacks Require Effective Solutions
Research has found that these new, more narrowly-focused attacks happen very quickly. By the time brands start to realize something is wrong, perhaps by discovering a drop in brand sentiment, or seeing results of a data leak, or even discovering counterfeit products purchased by unhappy customers, it is far too late.
Ran Arad of Memcyco, a real-time website spoofing detection and protection solution, explains that even though website spoofing can happen very fast, it is the critical "window of exposure" that is the most important for brands to defend against, because as long as the spoofed site is up, customers are vulnerable to attacks. This "window" refers to the moment a fake site goes up until it is taken down (which can sometimes take weeks), as customers are completely susceptible to attacks so long as the malicious domain remains online. "Once malefactors have successfully duplicated your website’s front end, it often feels like it’s too little too late to combat the brand impersonation attack on your brand and the fraud campaign against your clients. Even if the fake site is detected promptly, significant damage, encompassing both monetary and data theft, occurs during that window of exposure (WOE). Many companies currently lack the means to curb this threat effectively."
Furthermore, a report from USENIX found that the speed of these campaigns shows just how ineffective reactive measures typically are. According to the report, the average campaign from the start to the last victim takes just 21 hours. Moreover, at least 7.42 percent of visitors supply their credentials and ultimately experience a compromise and subsequent fraudulent transaction. It goes on to explain that a small collection of highly successful campaigns are responsible for a staggering 89.13 percent of victims.
So what can companies do? Spending continues to rise for cybersecurity, and protection from brand impersonation attacks are one of the reasons for that. Like many types of apps or software security systems, there are expert teams that have made this their specialty. CISOs must recognize the severity of attacks that reach outside their firewalls and become more proactive, dedicating enough resources to counter sophisticated phishing attacks on customers. They can also partner with specialists to identify the areas that require more support. Larger companies may choose to develop this skill set in-house, but for many small and mid-size companies, finding a specialist may be a more cost-effective option in the long term.
Summing Up
In today’s modern reality, traditional cybersecurity that lives inside a company’s firewall won’t cut it. Companies must not only protect themselves from cyber attacks and their employees from phishing scams (inside the firewall), they must also have a vigilant eye out for brand impersonation attacks, which can happen anywhere outside the firewall. Unfortunately, these attacks have proven to be very effective and are a growing concern that can cause catastrophic damage to brands. The standard cybersecurity arsenal must now include powerful online brand protection tools and strategies that look outward, are wide-sweeping and proactive.
Image Credit: rosedesigns / Shutterstock
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.