As security conferences return to in-person venues, the cybersecurity community is buzzing with concerns over multichannel phishing attacks, with mobile phishing the biggest concern as hackers turn to mobile to launch smishing and business text compromise attacks.
By moving completely to the cloud, apps and browsers are all we need to communicate with work, family, and friends. While most of us are aware of the cybersecurity guardrails, we are not infallible. We can be lured into providing personal information and credentials or installing malicious apps that can undermine even the most sophisticated cybersecurity defenses. Our reliance on mobile devices with little or no protection from malicious attacks leaves personal and company data at risk.
Multichannel phishing attacks are on the rise, and more breaches are successful because hackers are delivering very targeted attacks on massive scales — powered by automation technology, taking advantage of human psychology, and exploiting our use of apps, browsers, and multiple communications channels.
Humans are the most strategic cybersecurity entry points into an organization because criminals can use psychology to fool us into overriding or undermining even the most sophisticated cybersecurity protection setups. And today's sophisticated attacks are essentially invisible to the human eye. Gone are the poorly spelled phishing emails of yesterday. Today's human hacking can fool even the most security-aware professional to follow a malicious URL or log in to an illegitimate site and expose data and a network. For the attacker, it's much more straightforward and a lower cost to attack a human than a network or a well-defended machine.
'Furthermore, our world — and the way we use technology — has been dramatically altered. This has further increased the danger of human hacking attacks. Post-pandemic, a large percentage of the workforce will continue to have some hybrid remote/office working arrangements — meaning that we're mixing our personal and professional worlds online more than ever. That opens us to more threats, especially when human hacking attacks are coming from legitimate infrastructure. We've turned to interacting through apps and working on browsers. Using collaboration channels like Zoom and Slack and doing nearly everything through our smartphones has opened more attack vectors.
Gone are the days when phishing emails were easily spotted due to low-quality logos, poor grammar, or just the totally unbelievable nature of the email. Now, attackers are well-equipped and very strategic about their attacks, and the believable SMS text or social media invite from a cybercriminal is far more dangerous.
Then, the sheer number of these channel users multiplies the risk equation for enterprises. Add to this the fact that attacks have evolved to the point where a single attack will use multiple channels to convince the users that they are legitimate. There is also the major issue of underestimating the risk of the human factor — today's attacks are simply impossible to detect with human-only views, assessments, and forensics.
What to Watch For
Now, especially as the browser is becoming the operating system of the enterprise, the number of channels for attack has increased. Browser extensions and plug-ins are available through very respected big brands, including Android and Apple, but they are not always safe. Also, browser search results can become embedded with attacks, attracting the attention of the user with something that they care about and are more likely to click on. And of course, common Microsoft 365 apps and enterprise productivity apps such as LinkedIn, Dropbox, and WhatsApp are open to phishing abuse.
Since human hacking is a unique problem, we need to focus on people in order to resolve it. Training people to recognize threats is important, but the attacks are too hard to spot by users for training employees to be cautious to be enough security. Asking people to forward suspicious requests to IT is a help but not a cure. There are simply too many convincing attacks coming in on all channels for IT to keep up with those that are forwarded.
There are better ways. One, recognize that cybercriminals are pointing attacks at the people inside organizations and then defend them — on every single digital channel. Two, take advantage of AI and machine learning to identify threats and then use that protection on endpoints in an organization's network — from employee smartphones to Zoom accounts.
In a world where we're trying to stay one step ahead of the hackers, it's time to adequately recognize the magnitude of the multichannel challenge on the horizon — and a new approach that bolsters the people who are under attack.
About the Author
Patrick Harr is CEO of SlashNext, the authority in multichannel phishing and human hacking protection across email, Web, and mobile.