I am phishing
Why “working from the beach” poses a threat to businesses, explains Zscaler’s Tony Fergusson.
A stream of out-of-office messages signals: Summer is here. And even those who can’t quite switch off from work are taking advantage of the Workation trend. They take a holiday to work in a relaxed environment at the same time. This flexible form of “work from home” has led to a new acronym: “Work from the Beach” – WFB for short. WFB concessions are an attractive retention tool in an increasingly competitive labour market and are readily taken up.
However, why should the latest variant of remote working put security departments on their guard? Particular caution is needed because of phishing. After all, phishing is the most popular attack vector on businesses, according to the Zscaler ThreatLabz 2023 Phishing Report. Phishing attacks increased by almost 50 per cent in 2022 compared to the previous year, and all signs indicate that this trend will continue.
Lax cyber hygiene
This trend is particularly worrying as WFB employees tend to neglect cyber hygiene in a relaxed holiday environment, making them easy targets for attackers. There is no opportunity for colleagues to provide a second opinion on suspicious e-mails before they are clicked. The attention to recall the contents of the last cyber awareness training also falls short when the family is waiting for the beach trip.
Another factor that increases the risk profile of distance workers is that they are more likely to work from a personal device with weaker security and a smaller screen. This circumstance offers attackers more opportunities for gateways, for example via SMS and WhatsApp, and thus higher chances of infiltration. Above all, a smaller display from the smartphone leaves less room for users to recognise more subtle signs of fraud in text or email-based attacks, for example a false email address.
Vishing as a variant of phishing
That even a security provider like Zscaler is not spared from phishing attacks is shown by a call to one of our sales managers. Apparent caller: the CEO Jay Chaudhry with a picture of the company boss on his smartphone and the voice: “Hello, this is Jay. I need you to do something for me.” Then the call dropped. A subsequent WhatsApp message received went on to say, “I have poor network reception as I am travelling at the moment. Is it okay to text in the meantime?” This was followed by a request for help in transferring money to a bank in Singapore. When the sales manager alerted internal investigators, it emerged that cybercriminals had used Jay’s voice from excerpts of his published speeches to deceive the employee.
This is just one example of sophisticated social engineering. Driven by powerful AI tools, SMS phishing has evolved into voice message-based phishing – called vishing. Here, real snippets of voice are used by management to trick employees into opening malicious code-infested attachments or performing other harmful actions.
Voice as the new lure
Successful vishing requires an understanding of the social dynamics of the targeted organisation. Cybercriminals know that newly hired employees are unlikely to ignore urgent requests from the boardroom. Executives are interviewed by media or appear in company marketing efforts, so their voices are more likely to be heard in public. This allows these executive-level voices to be used as the perfect bait.
Clicking on a contaminated link can open the door to far more serious threats such as a ransomware attack on the company. This is because network credentials stolen via phishing have a large market value on the darknet. Log-in information is a comparatively easy, inconspicuous way for attackers to gain a foothold in a company via, for example, a single target’s laptop. For a fee, access to this valuable entry point can then be passed on to ransomware groups. These groups use the credentials to move laterally through the corporate network in search of valuable information that can be stolen or encrypted for extortion.
Data at Rest and Data in Motion
What can companies do to protect their employees from phishing scams this summer season? A cloud-based zero trust network access strategy ensures that employees have secure access to the applications they need from any work location. The Zero Trust architecture significantly reduces an organisation’s attack surface and helps prevent damage from phishing. For example, it prevents data loss by checking and protecting “data at rest” and “data in motion”. In addition, it blocks the lateral movement of malware so that compromised resources cannot penetrate other network areas. Users are then connected directly to the applications they need and not to the network itself.
Companies that want to remain attractive in the job market should not skimp on security policies. They just need to evolve their security thinking from a network-centric to a user-centric approach with ZTNA. This will give them more confidence in providing a work-life balance for their employees who want to make the most of their summer.
Tony Fergusson
is CISO EMEA at Zscaler