As another holiday shopping season arrives, with sales and special offers everywhere you turn, it is important to remember that the cybercriminals are also out in force, taking advantage of the noise, confusion, impatience, and stress. This is not just a consumer risk but a business one.
Every year, the cyber-threat level rises as attacks become more sophisticated and targeted. This year, the menu of new and enduring attack tactics is joined by the ever-growing power of generative AI.
Why should businesses worry? We live in a world where personal devices are routinely used for and at work. Recent research shows that 83% of companies have a BYOD (bring your own device) policy of some kind. Another source suggests that about 67% of employees use their personal devices while at work, regardless of company policies or restrictions. Alongside that, many work devices are used for personal purposes – one study found that 42% of employees admitted to this.
What this means is that when your employees are targeted with consumer-focused holiday scams, they could be putting your corporate network and assets at risk.
Employers can help to protect both employees and the business by ensuring staff are aware of the threats and attack techniques they might encounter. According to our security researchers, these include email-based attack tactics such as QR code phishing, or 'quishing', where attackers embed QR codes in phishing emails, prompting users to scan the code and visit a fake page that appears to be a trusted service or application. Victims are usually tricked into entering their login credentials, which are then captured by an attacker.
Other novel phishing tactics being used by cybercriminals include scams leveraging Google Translate links, image attachment attacks, the use of special characters in attacks and URL manipulation techniques. Examples of URL manipulation include domain impersonation and typo-squatting, where an attacker tricks a target with a subtly different domain name to that of a known, trusted brand. Another example is what's known as a Punycode attack, where, for instance, the Latin character "a" might be replaced by the Cyrillic letter "а" so that it looks identical. These visually deceptive URLs are used to scam or phish a target.
AI is increasingly used in email attacks to enhance the effectiveness and sophistication of phishing and spear-phishing campaigns. Attackers leverage AI techniques to automate various stages of the attack, to generate realistic email addresses and domains that mimic legitimate senders, as well as convincing email content or content that bypasses traditional spam filters and security measures.
There are many things worth doing at this festive time of year. If you're an employer, one of them should be a quick security review. Do you have effective, AI-based email protection in place, which features impersonation and link protection, among other things? And do you have employees who understand how to spot the latest threat and what to do if they encounter it? If not, now is the time for a training and policy refresh.