Dan Patterson – CBS News
Cybercriminals ransomed millions of dollars from businesses during the COVID-19 pandemic, using time-tested tactics like phishing, social engineering and other hacker tools of the trade.
For companies, the average cost of a data breach soared to $21,659 per incident during the pandemic, with most incidents ranging from as little as $800 to more than $650,000, according to a new report from Verizon. But 5% of successful attacks cost businesses $1 million or more.
Nearly 85% of successful data breaches involved defrauding humans, rather than exploiting flaws in computer code. Although specific techniques vary by industry, 61% of all data breaches are the result of schemes that try to swipe login credentials, such as phishing schemes, the wireless provider found.
Several factors contribute to the popularity of phishing and ransomware attacks. Many companies use email security systems to mitigate the scale and potency of phishing by, for example, scanning suspicious links and removing attachments. But corporate email systems still remain an easy “attack vector,” tech jargon for the means by which a hacker can gain unauthorized access to a computer network or server to launch a cyberattack. This year, 36% of successful corporate cyberattacks involved phishing, an increase of 11% over last year.
Ransomware, malicious software that threatens to publish private data unless a bounty is paid, has become increasingly popular among criminals because it offers a quick way to make a buck. Many ransomware hacking tools have been commercialized and simplified. And while programming skills are a bonus, they’re no longer required to execute a successful ransomware attack.
As a result, so-called ransomware-as-a-service is on the rise. Prior to the pandemic, criminals were forced to invest time and resources into investigating targets. Now cybercriminals can simply hire ransomware services on the dark web or buy the software to attack using email.
Bullseye on remote workers
Meanwhile, the massive shift to remote employment during the pandemic has created a fat new target for cyber criminals because many employees working from home were using insecure personal smartphones and computers.
“For employees accustomed to working from the office, shifting to a work-from-home model as a result of COVID required them to integrate their personal lives,” said Verizon Chief Information Security Officer Nasrin Rezai. “During the same period of transition and disruption, threat actors shifted their techniques to target employees through COVID-themed phishing and social engineering campaigns to capitalize on the stress and anxiety of the pandemic situation.”
Employees in financial services, health care, public administration and retail have proved particularly attractive to fraudsters. Financial service and insurance executives experienced the largest rise in ransomware and phishing extortion attempts in the past year, Verizon found. “Misdelivery” attacks that fool victims into sending sensitive data to an external bad actor now account for 55% of the threats lobbed at financial service employees. Credential stealing and “credential stuffing,” in which stolen credentials from one website are used to breach accounts on another site, are also common.
Health care organizations are also frequently targeted using misdelivery data breaches. According to the report, human error is to blame for a significant number of healthcare-related data exposure incidents.
Social engineering and phishing account for 69% of cyberattacks targeting public officials and administrators. Retail executives experienced a diverse array of attacks during the pandemic. Criminals frequently targeted retail employees with fraudulent money-transfer schemes. Top tactics included phishing and pretexting, both of which involve concocting a story that will trick the victim into revealing password information and other sensitive data.
The increase of remote work during the pandemic also compelled companies to embrace cloud services. Cybercriminals followed. Attacks targeting web applications accounted for 39% of all data breaches.
“The challenge COVID presented was the speed at which companies had to enable their employees to work remotely,” Rezai explained. “It is possible that some security controls were bypassed, shortchanged, or not anticipated as a result.”
Ways to protect yourself
- Avoid reusing passwords. Instead, use a password manager to store long and unique passwords for each site.
- Enable two-factor authentication on email, social networks and work sites.
- Enable a Virtual Private Network before you access sites that contain sensitive information.
“Businesses and consumers alike should recognize the continued rise of social engineering, phishing and credential theft and take steps to defend against it,” Rezai said. “Organizations need to invest in both technological solutions and in workforce education — employees’ good cyber-practices can stop costly breaches before they happen.”
banner image: Stomchak via Wikimedia Commons