We said goodbye to 2016 and its head-scratching cyber-security issues, but the million-dollar question is: what will businesses and private users face now in 2017? Let’s review cyber-challenges this new year might hold in store:
Tax fraud will be as relevant as ever: Americans, beware IRS scams
Cyber-criminals are always very active during the tax season, and 2017 won’t be the exception to the rule. The IRS, the U.S. government agency responsible for tax collection and tax law enforcement, urges all Americans to be extra careful when dealing with any communications (emails or phone calls) seemingly from their offices.
One trick fraudsters are using in tax fraud is directing their trusting victims to pay their supposed “fine for late tax returns” via a money transfer service, similar to Wester Union or PayPal. This however, doesn’t have the same security features and, of course, doesn’t allow refunds.
The number of Social Engineering scams will keep intensifying
Cyber-criminals use social engineering scams for a lot of different reasons, and it proved very effective in the past. The myth of a very nerdy-tech-savvy hacker running these scams is far from the truth: elaborate IT dexterity is no longer needed for crooks breaking into accounts. Like any real-life criminal, hackers rely on their skills and shrewdness in order to design schemes that will entice naïve victims to give away precious personal information. Once the victims ‘bite the bait’, they open a window for the hacker, who can now access business’ entire systems, or users’ devices and accounts.
The 4 principal tactics hackers use to entice victims are:
- Phishing (email-based scam)
- Vishing (voice-based scam: hackers call their victims on their cell or land line)
- SMSishing (text-based scam: hackers send text messages to their victims)
- Impersonation (on site-based scam: hackers pretend to be someone from a trustworthy organisation)
The most used techniques for social engineering scams are phishing and vishing, which then allows the crooks to launch their technical part of the hack.
Cyber-criminals will keep using social engineering scams because of their efficiency. More than often, their credential harvest for one account can enable them to break into additional accounts, since users and even businesses keep the bad habit to recycle passwords and security question answers.
Let’s say someone had his MySpace account hacked: “I don’t really care, I never log in on that website anymore,” the victim might think – but the danger is, thanks to this one seemingly-unimportant hack, cyber-criminals might gain access later to their victim’s bank accounts or health records.
Ransomware threats will grow exponentially
Research suggests that ransomware will be in the centre of the 2017’s cyber-threat landscape, and that it will cover most future cyber-attacks. Other outdated attacks, based on data theft will be pushed aside by this amplified Trojan Horse attack.
Why will ransomware attacks keep increasing? For a very simple reason: it is extremely lucrative for cyber-criminals. Due to the high profit hackers gain from a minimum investment, businesses should be aware that they will most likely undergo a ransomware attack at some point in the next few months.
Note: a business or private user that fall victim of ransomware should remember that even if they do pay the ransom to their oppressor, that does not guarantee the recovery of their encrypt files or documents (total or partial). In some case, cyber-criminals kept blackmailing their victims after the payment; not to mention that paying the ransom can also provide banking details to hackers.
2016 was the year of DDoS attacks, but 2017 may be even worse
The number of attacks carried out by bot networks on thousands and thousands of IoT devices used maliciously will more than likely grow, with research believing that the average attack size of a DDoS attack will hit 1.15 Gbps by the end of 2017. DDoS attacks are still a popular technique for cyber-criminals to blackmail businesses or harm their productivity/reputation.
Note: 1 Gbps DDoS attack is all hackers need to put an entire network offline.
Despite this, there is still the hope that this year DDoS attacks may become harder to execute, if the strengthening of regulations for connected consumer electronics actually slow-down black-hats.
The Internet of Things will remain a time ticking bomb
The number of devices composing the IoT keeps growing alarmingly by the minute, which means every new poorly-secured IoT item can be used for DDoS attacks or other malicious purposes. We are without a doubt living the age of a technological revolution, talking to our devices, over-sharing and always connected; but with every revolution tags along the danger of not knowing where the danger lies. Even the smallest connected devices can be used as an open window to corporate or private networks.
To sum-up, these threats are just the tip of the iceberg of what the 2017 cyber-threat landscape will be made of; it’s important to remember that all the black-hats out there are always working on new scams and technique that are harder to predict. It’s the cat and mouse game: everyone wants to be a step ahead. Businesses and private users should be as ready and protected as possible for any threat that may come their way.
Quick words of advice from FraudWatch International:
Businesses: don’t minimize the value of transparency & quick incident response
Nothing is more valuable than keeping your clients/users’ trust, and hiding or dealing ill-advisedly in the event of a data breach is the quickest way to lose them. The good consequence of being transparent with the theft of confidential information is preventing others to fall victim of the malicious scheme. The sooner the attack is under the light, the sooner the hacker’s credential harvest will end. And even if you do lose a few clients/users in the process, honesty is always the best policy.
Private users: don’t keep registration emails… or in fact, don’t keep old emails, period
Almost every account an individual has can be traced back in an email, which means that key credentials such as usernames, passwords, security questions are often stored in email accounts – sometimes forgettingly. In case cyber-criminals successfully break into one of your email account, the best healthy security-habit to have is to delete registration emails for other accounts, as well as deleting old emails that may give clue to the hackers as where to steal from you next. Practice good judgment by avoiding storing emails unnecessarily.