This recent article in the FT on the Anatomy of a Hedge fund attack reminds all of us how old attacks are evolving and align to our lifestyle. Today’s more sophisticated phishing attacks are no longer about sending thousands of emails and targeting multiple targets. These low-effort and low-technology attacks still exist, but they are not very profitable for cybercriminals and easy to detect.
Today’s social engineering techniques are reliant on a fairly intensive reconnaissance phase, often lasting weeks, spent to study the victim, to collect information aided by OSINT (open-source intelligence) tools, which may analyse a target’s digital footprint and create a map of what they do, how they do it and where the weakest link is.
After this phase, often carried out without leaving any tracks, the next phase usually leverages on social engineering techniques, such as creating a sense of urgency, or desire to comply, delivering misleading messages, requesting to act with enough credibility because of the intelligence gathered during the recognisance phase. Let us be clear: these attacks are highly targeted, and no one is immune.
The only protection is to create the right awareness amongst your users, particularly those in senior positions. Educate them, not on technology or spell-checking (long gone are the days in which the messages could be easily recognised because of grammar errors or typos), but rather by identifying unusual patterns and by being mindful of what is happening and if it may be happening in not the usual way.
