Different Types of Data Breaches and Cyberattacks Used Today

They never rest. Hackers are constantly thinking of new ways to penetrate your organization’s technology so that they can obtain sensitive information and personal data for their own profit. An attack on your network could destroy your business in a matter of hours. That’s why it is important to recognize the common tactics and strategies attackers use.

You may think you are immune to falling prey to attackers’ attempts, but you may be surprised at some of the methods attackers devise to trick people. The point here is that everybody will be compromised at some point, and it is important to mitigate these risks as best as you can.

Zac Wilcoxen is a Managed IT expert. He believes end users (such as employees and staff) are most often the reason compromises happen. And the larger your organization is, the more likely it is that an attack will be successful. Cyber attackers can easily automate breaches, targeting hundreds of businesses at once. When you have 20 or 30 people in your organization, there will be a few employees that are not tech savvy, and will click on a malicious link or may even unleash something that is out of their control.

Zac sat down for an interview and explained the leading types of cyberattacks he’s currently seeing. You can jump to each section by clicking on the links below. Zac believes that education and implementing preventive measures are the most important tools to protect against the following cyberthreats.

Leading Data Breaches and Cyberattacks Today:

Cyber Liability Self-Assessment

Employee Access Levels

You want to limit who has admin level access on their computer, because if an end user (employee) goes to a website and downloads something that they’re not supposed to install, the results could be devastating. Take Adobe Acrobat Reader, for example. There are a lot of fake Adobe Acrobat Readers out there that are actually malicious. The employee goes to install what they think is Adobe Acrobat, but they inadvertently download and install ransomware on their computer instead.

If you revoke admin privileges, users do not have the ability to install software applications unless they contact their IT department. IT will then go in and verify that the correct software is being installed. Periodically audit your employees access levels to verify that they are appropriate for their role.

Social Engineering

Social Engineering is when a cyber attacker tries to manipulate someone into giving them sensitive information – such as passwords, login information, access to computer systems, etc.

Because of Social Engineering, I recommend that every person, and every business, as part of their password policy, change their entire passwords every 90 days. Every password you use should be unique. Consider using a password manager such as LastPass, or 1Password to auto generate all your passwords. Make sure your passwords have nothing to do with your personal life. Avoid kids’ names and birthdays. Avoid passwords that pertain to anything related to your livelihood.

How do you keep employees from writing their passwords on post-it notes? Honestly, that’s a challenge that we often see. The best course of action here is to implement a specific company policy against this. Some people don’t think they’ll ever get hit, because they think there are bigger fish to fry. But if you leave the door wide open, attackers will come in.

Social Engineering is not only limited to email. Actors may call posing as Vendors, or other institutions, to gather personal information. This is often the first step in a targeted phishing attack that comes later. Stay vigilant!

Evil Twin

As the economy starts to open back up, work from home employees may start to visit public locations, meaning going back into coffee shops to work. If you go into a public place and connect to their Wi-Fi, it’s imperative that you use a Virtual Private Network (VPN) to encrypt and keep your browsing traffic private. The main problem with using public networks is a type of phishing attack called an Evil Twin. This is when an attacker goes in and creates a lookalike Wi-Fi network.

So, let’s take for example, your local coffee shop. The attacker creates a Wi-Fi network with the same name as your coffee shop. If you’re not paying close enough attention, you may not realize that there are actually two networks with the same name. You click on one and connect to it using the same password. Now you are completely connected, but unbeknownst to you, you are connected to the attacker’s network (the “Evil Twin”). They are analyzing every bit of traffic that’s going through their network, which means they can extract sensitive information you don’t want them to have. So, again, always make sure to use VPN.

As we continue to open back up and live in this world where people are working from home, there are so many end users that are uneducated about cyber security and don’t understand the implications involved. They’re not out looking for Evil Twin networks, but the fact is, these networks are out there and it’s important to set your team up for success with cyber education.

Spear Phishing

Spear Phishing is a targeted attack from an actor posing as a trusted sender to acquire confidential information. For example, you receive a text message on your phone that says, “Hey, we think that your account has been hacked, so we’ve locked it. Click here to login.” You click the link and are then taken to a site that looks like Google, but really it isn’t Google. You log in with your email and password information, and now they’ve got your credentials.

Another scenario we often see is an actor posing as the CEO with a message to the finance or accounting  department head with the subject “URGENT REQUEST” that reads something like “I’m in a meeting and need help getting some Amazon Gift Cards.”

Phishing

Nine times out of ten when I see a breach, it’s phishing. A recent example of phishing is the Johns Hopkins Lookalike.

Hackers leveraged coronavirus in a malicious way. They tried to spread malware by taking data from the Johns Hopkins coronavirus live map and turning it into other malicious websites that appear to look credible. Once these malicious URLs were visited, a malicious code ran in the background of the page creating vulnerabilities.

There were also phishing attempts disguised as the World Health Organization and the CDC. The links read along the lines of, “Hey, this pandemic is happening. Click here to learn how you can do your part to combat coronavirus.” They made them look exactly like the World health Organization and CDC, and when that link was clicked, it went to a phishing website where they asked for personal information.

One of the very first things that we do when we sign a client is to schedule a company-wide phishing cybersecurity awareness class, so that we can dive into every single type of phishing scenario there is – with examples of each, which we leave as a resource that can be referenced later. We also implement what we call “faux phishing attempts.” We actually send out phishing emails to see whether or not employees will click on them and fall for the faux scam. If they do fall for it, we educate them. We go back and say, “Hey, look, this is what happened. These are the things that you need to look out for. Please be aware.”

Sometimes we work with managers to create a little bit of incentive. For example, a gift card given out once a quarter to the person that reports the largest number of phishing emails. So, whether they are getting phishing emails from us or whether they are getting real world phishing emails, they report them. It’s a motivating factor for employees and gets them to really analyze all e-mails that are coming in. If you don’t provide the awareness and are just hoping your employees don’t click on anything… that is not a good way to protect your business.

Wrapping Up

It’s a constant struggle to stay ahead of the malicious actors in the dark underworld of the internet. But you’re not helpless.

Start with awareness campaigns in your company. A few minutes of education can help your team understand threats like Phishing and Evil Twins. Most folks don’t want to be the cause of their company’s data breach. So, equip them with the tools to prevail.


Bio

With a lifetime spent in IT, Zachary Wilcoxen has seen it all. He started young as an agent doing on-site service calls for Computer Nerdz, before taking a position at a data center in the network operations center. There he maintained the infrastructure most people refer to as “the cloud”. Honing his craft, and studying computer science, he eventually took a software engineering position working on a popular cloud storage platform.

After a number of years in the workforce, building a skill set, Zac set off to start his own business which today is known as Pretect Managed IT Services. We offer 24/7 help desk support, proactive asset monitoring, cyber security, and automation.


Disclaimer

Daniels-Head Insurance Agency (DHIA) seeks thoughts and insights from a variety of individuals and organizations in the industry. The guest content on this blog represents the individual opinion of the author and not that of DHIA. Nor is it the opinion of DHIA’s underwriters and business partners. Neither DHIA nor DHIA’s business partners are recommending, endorsing, or sponsoring any companies, or third parties mentioned in this blog.

More Articles

View All Articles

Cyber Liability vs. Data Breach Insurance: Key Differences to Know Before You Buy

Understanding the key differences between Data Breach Insurance and Cyber Liability Insurance can help you make smarter, more confident decisions. Whether you're considering standalone policies or filling gaps in your current coverage, knowing what each policy offers is important to choosing the protection that is most suited for you and your business.

Defending Against Ransomware Attacks Today

Explore the history of ransomware attacks, the tactics used today, and the proactive measures you can take to protect your law firm from this growing cyber threat.