“Hackers Are Always One Step Ahead”

Since the dawn of email, employees have battled scams of one sort or another. As work becomes more remote, points of connection expand and hackers employ ever more sophisticated schemes, the threats multiply. GetAbstract’s Massimo Scola explains how attacks are evolving and what companies and employees can do to maintain security. 

Massimo, what are phishing scams and are they the most common threats employees face? 

Massimo Scola: The number one threat people get through email is “credentials phishing.” The attackers are after your credentials. A recent analysis of spam emails worldwide found that over 50% were credentials phishing. Why? Because then they have your username and password to log into another person’s laptop, computer system or other corporate systems, like the company website. Once they have your credentials, they can log into your computer and put malware on it, or they can use your computer to send out more phishing emails in the name of an employee whose computer has been hacked. 

More and more companies do their work online via a website in the cloud. The website is the product. Does that multiply threats or is that part of the motivation for these scammers? Is that why hackers are so keen to get the credentials of, for instance, people who work for Twitter? Would they be able to crash Twitter? 

Yes, they could. What happens is hackers log in and then they don’t do anything at all. They just observe or try to understand how the system is set up. We had two security breaches in Lucerne. One was the public transport system. Hackers were able to log into the server and could observe and understand how their IT system is set up. Next, they encrypted the computer and shut down all the public displays, so you couldn’t see what time the next bus was coming, and you couldn’t buy any tickets. That lasted a couple of days. That’s ransomware. That’s a real threat, especially for companies that have servers on-premise. Another example was a paper refining company. The attackers stopped the whole production. The company lost lots of money until they paid the ransomware, a lot of money using Bitcoin or whatever they asked for. That’s usually more of a threat for companies that have devices such as machines attached to the computer system. Those can be hacked as well. And that’s what happened to the paper refining company, it just stopped its operations. They had to pay off the attackers. 

Did that start with a phishing email?

I don’t know in that case. There are several ways they get in, but yes, often it starts with a phishing email. There are different types of phishing emails: you have the typical phishing emails, which sometimes are so obvious that you just delete them.  

The ones from a mysterious prince in Nigeria who wants to send you money? 

Exactly. You know it’s spam because of the way it’s written, the way it’s formatted, and you just delete it. The problem is more when these hackers use a technique called social engineering. They gather information about you from trusted sources, maybe on the Internet, or by, for example, calling in to inquire about you. In the end, they know who they are sending the email to.  

They have a particular person in mind.

That’s called a spear-phishing attack. Regular phishing is like you throw a net into the water and you catch as many fish as you can. Spear-phishing is just like with a gun. It’s targeted. 

What are some of the ways that people can tell if something is “phishy?” 

You’ve got to look at the address in the link without clicking on it. That’s usually where you can tell that something is not right. There might be a typo, for instance. It looks like it’s from Microsoft, but the link has a typo in it, so somebody registered a domain with a name very similar to a trustworthy domain. People don’t look at links closely enough. If you go to the website, it may look like the real website, but it isn’t.  

So, if you get an email that you’re a little suspicious of and you hover over the link. You see that you don’t necessarily recognize the website. If you don’t click on the link in the email but rather browse the domain website to see if it looks legitimate, can that hurt you? 

Well, it can if that website is well prepared to take advantage of the situation. Microsoft will fix whatever security breaches they find, bugs or security holes. But usually, attackers are one step ahead of the game. It could well be that you end up downloading something without knowing it or executing something in the background. 

Even if you’re not downloading anything?

You might not even be aware that something is happening in the background. 

Wow. 

But usually, that’s not the case. Usually, you end up on a website and it asks you to log in, in order to get your credentials. Or sometimes, they ask you to log in and ask you for your credit card. A common one in Europe is “You’ve received a parcel from DHL.” Then it asks for your email address and password and then your credit card information to pay for the import tax.  

How will artificial intelligence (AI) increase threats from phishing?  

We talked about social engineering. If I’m phishing, I can create highly convincing and personalized phishing emails or messages or even phone calls. This is by analyzing the patterns in a person’s communications. For example, you can focus on the CEO of a company. You can find out a lot about a CEO on social media and on YouTube videos. So, they try to create an email that is so convincing that the CEO will believe it is for them. 

Or you could get an email that looks like it’s from your CEO asking you to link on something? 

Yes.  

And then with deepfakes, it won’t just be an email that looks like it’s from the CEO because it’s from their email address. It might be a video, like a video chat? 

Yes, it looks like your CEO and feels like your CEO, but there’s something wrong with your CEO. 

So, you could be in a conversation like this, what might look like a video chat, but you would probably be able to figure it out the longer the interaction went on. 

Yes, the same is true with voice cloning. If somebody calls you, the longer you talk, the easier it is to figure out something’s wrong. That might be a problem for new employees, right? Because they might not know the CEO very well. But for people who know the person, they understand how they usually act, their intonation and pronunciation. Those are some of the telltale signs. One more thing about social engineering: In the past, when those well-prepared phishing emails went out, it was usually done by humans. It was done manually. And that’s the big advantage AI brings. It makes these attacks more automated. 

Hackers can massively scale up. 

Yes, and we do expect more attacks. As always in the past with technology, when something new comes out it is used for good and it is used for bad. Something else I wanted to tell you: When AI is involved in cyberattacks through emails, you have very intelligent algorithms. They go out on social media and they try to find out a person’s friends, interests, hobbies and the job they have. They spread out in all directions.  

They basically map a person’s relationships and interactions. 

Yes, on social media they find more information about a user and his or her friends. Then they try to group people with the same similarities. For example, people who have a certain hobby or work in a certain industry. Then – and this is very concerning – AI tries to group the most vulnerable people into one group and sends them a spear-phishing attack. They look for people who look or seem very trusting or those who have access to valuable information or who have admin rights. Then they send out these personalized emails and, as they know a lot about that person already, these messages are tailored to a victim’s interest and the relationships they have with other people, so they are more likely to be successful. This is another reason to always take a close look at links in emails.  

Okay, so you get a phishy email, you hover over the link they want you to click on and you analyze the link – are there typos? Does the domain name seem legitimate? But what if you’re still not sure? Is there anything you can do? 

Yes. All emails have a header that tells you where the email was sent from and where it was going. Companies that host emails, like Microsoft, for instance, receive millions of emails every day. They are very able to identify spam and categorize it. Microsoft has a tool called the Message Header Analyzer, which is a free plug-in in Outlook, and also they have a website where people can copy/paste their headers to do the same analysis. This tool will tell you on a scale of 1 to 15 how likely it is that your email is actually spam. Anything over 4 or 5 is considered spam and has been seen elsewhere. 

Okay, that’s good to know.  

Email addresses can be faked. You can receive an email from DocuSign but then it’s not actually from DocuSign. If you look at the header, you’ll see it was sent from some obscure or unlikely place.

And a message header analyzer would be able to detect something like that as an example of spam, right? 

Yes. So, every time you see an email that is spam in Outlook, for instance, and you click “report phishing,” this goes to Microsoft and trains its model, which improves detection for everyone. Microsoft and other email hosts already block lots of emails every day, that they know are spam. Some still get through, especially better-crafted spam.

48% of emails sent in 2022 were spam.  

And there are other types of attacks to be wary of, for instance, brute force attacks where attackers try to log into a company server by just guessing passwords. They’re also going to be a bit more sophisticated with AI, since it has already been trained on passwords. So, they’re probably going to try and predict passwords that might have been used to secure that website. 

What’s the best way to combat that? 

Multi-factor authentication. Do not rely only on a password, rely upon additional security, an authenticator app or receiving a text message. More and more websites are using multi-factor authentication; some require it, like banks. 

And other threats? 

The Internet of Things (IoT) is a potential nightmare for security. You will have IoT machines everywhere – your coffee machine, the printer or projector. They’re not very capable machines, but if you bundle them together, let’s say with thousands of other printers or thousands of other coffee machines, they can actually slow down a service by trying to access a web server so often, flooding it with attacks, that it crashes. 

Okay. How can companies up their game against these threats? 

Multi-factor authentication is number one. And they can hold regular security awareness training. We all forget about what dangers are out there and should learn about new dangers. Big companies might have very sophisticated security policies that detect misuse. Smaller companies think this is not so important for them, but it is. 

What are some of those procedures that smaller companies should implement? 

For instance, screening a person before you hire them, especially if that person has access to sensitive data. Do you want to hire somebody with a criminal background? Would you trust them with your database?  Another security measure is to really secure the devices companies give to their employees and manage them. So then employees can’t do everything with the laptop; they can’t install software on it, for instance, not because they aren’t trusted, but because this way if they have a ransomware email and open it and it tries to install something, it will fail. 

So, if a company is issuing laptops to their employees, then it should be with the understanding that it will have only the software that comes with it pre-installed. You’re not allowed to install other programs. 

Yes. The term is “managed device.” It’s managed by your corporation’s IT department. Also, increase physical security. I can set up a device to have a security policy that says you can only use it with biometric identification, like your fingerprint. That’s much more secure than just having a pin code or a password. 

Larger companies segment part of their office line into small sections or trusted zones. And these are all separated by firewalls and connected to the corporate backbone. This makes it easier to monitor and detect insider threats, which is also an issue. 

Is there something companies can do besides initial screening to minimize insider threats?

Have compliance policies that everyone follows. For bigger companies, sometimes you have two departments that shouldn’t talk to each other, sometimes for legal reasons, but if they do, you can set it up so that you’ll get an alert if they exchange emails. 

Remember that attack at the paper refinery which shut down the factory? Companies that run heavy machinery can physically secure their machines so only authorized people can activate them. Sometimes devices within a company are vulnerable because some of them come with a standard username and password to log in and companies don’t change them, which is a security risk.  

Something you must always do, especially if you run servers on-premise, is keep them updated. When Microsoft or whoever releases an emergency security patch, install it right away because hackers are always one step ahead. It has always been like that.

Being quick is the key to securing your company’s network and devices.

We are all in the same boat. We are all exposed to these risks. But in the end, we are the ones who release information by giving access through multi-factor authentication. Or we are the ones who click on that phishing email and enter our username and password. In the end, the human is the weakest link. We are all distracted at work. Sometimes we are not so careful, and that’s when security attacks take place.  Companies should invest in sophisticated security products. Microsoft Defender and other top-shelf security products employ a huge army of people to do one thing: detect security risks. Then it will be AI fighting AI.