Cyber fraud is a growing concern for individuals and businesses. It can take the form of phishing scams that steal personal information, hacking into corporate systems to disrupt business as usual, or even causing physical harm through counterfeit electronic and automobile parts or falsified medical products.
Deception in the digital age explores how traditional principles of psychological influence can be maliciously leveraged to entice, entrap, and exploit cyber victims.
Phishing
Phishing is a standard cyber attack in which an attacker uses emails, instant messaging services, and SMS messages to dupe victims into divulging personal information or sensitive company data. This information can then be used to gain unauthorized access to accounts, initiate ransomware attacks, or steal identities.
Phishing is a homophone of fishing, an early name for tricking unsuspecting individuals into handing over confidential information to malicious parties. In today’s phishing landscape, the techniques are much more sophisticated. These attacks aim to steal users’ login credentials and passwords. They can be carried out through malware attachments, spoofed websites, or ‘phishing’ over social media (such as Facebook Login).
Some examples of modern phishing attacks include pharming, where attackers create spoofed URLs to redirect users to malicious imposter sites; angler phishing, in which attackers reply to posts on social media pretending to be an official organization and lure users to their phishing site; DNS poisoning, in which attackers manipulate the way a website’s domain is registered; and vishing and smishing, in which attackers use voice or text to try to scam victims.
Another example of phishing involves CEO fraud, in which attackers pose as a company executive or other high-profile person and ask victims to wire funds. These attacks can be as simple as spoofing a colleague’s email address to mimic the CEO or using an AI voice generator to replicate the chief executive over the phone and request a wire transfer.
Password Attacks
Password attacks are a common and effective way for cybercriminals to access sensitive data. These attacks involve spoofing a login page for an online account and tricking users into entering their passwords to access the information they want. These attacks can have serious repercussions, including financial losses and reputation damage.
Threat actors utilize “password spraying,” in which they simultaneously try one or more passwords against numerous accounts to get around login attempt restrictions and account lockouts. By using deception techniques, they can increase their chances of success while avoiding discovery and account lockouts.
Typically, attackers use stolen passwords from data breaches or other malware tactics to carry out this type of attack. Once they have the credentials, they can log into other online profiles and websites. This type of attack is known as “credential stuffing.”
Another typical password attack is reverse brute force. This attack starts with a compromised username and combines a dictionary and simple brute-force methods to find the password for an account. Because many people re-use passwords across multiple platforms and often embed words like their name, date, or sports team into their passwords, these attacks are easy to execute.
Social Engineering
Cybercriminals are experts at manipulating technology but don’t always have to hack your device or email. Sometimes they prefer social engineering to get your information, access your accounts and infect your devices with malware. Social engineering involves exploiting human error, mistrust, and curiosity. It can be done online, through a phone call, or in person, and it usually involves tricking unsuspecting victims into breaking their standard security procedures.
For example, an attacker can pretend to be a trusted source like IT support and request your passwords and login information. By handing over this information, the malicious individual gains the keys to your account and can steal funds, spread malware, etc.
Another common type of social engineering is phishing attacks. Criminals use a compelling pretext to catch your attention, such as an exciting sweepstake win or cybersecurity software that wipes out a virus on your device. They’ve succeeded if they can convince you to take action on their ploy.
Physical, social engineering is also used to access restricted areas of an organization or sensitive data. One method is tailgating, where an unauthorized individual follows an authorized employee into a secured area. Often this is done by impersonating delivery or custodian workers. Another technique is baiting, where an attacker leaves a USB stick with malware in a public place and waits for someone to pick it up.
Malware
Cybercriminals use malware, or malicious software, to access systems and steal sensitive information. Some types of malware are self-replicating, spreading from computer to computer, or even from network to network. Other types of malware are used to degrade a system or network. Examples of these include DDoS attacks (denial-of-service) or cryptojacking.
Malware can be downloaded in various ways, including via USB drives, popular collaboration tools, and drive-by downloads. It can also be hidden in file formats such as image and document files. New malware strains are increasingly using evasion and obfuscation techniques to avoid detection. These include polymorphic malware, which rewrites its underlying code regularly to subvert signature-based detection; anti-sandbox techniques, which delay execution until the malware exits the sandbox; and memory resident malware that only runs in RAM, bypassing detection by traditional antivirus tools.
Cybercriminals often target businesses to steal large sums of money or confidential information. These attacks typically start with a spear-phishing email, crafted to look like a message from the CEO or another trusted source. They may also use social engineering tactics such as impersonating a tech support agent to gain the victim’s trust and prompt them to divulge sensitive information. Depending on the target, they may use this information for other crimes, such as ransomware. The recent data breach at JBS, one of the world’s largest meat processing companies, involved a ransomware attack that shut down plants across the USA, Australia, and Canada. The company paid $11 million to cyber criminals to regain access to their networks and avoid losing valuable data and operational disruptions.