Friday Five: 7/26 Edition
News about a new phishing campaign targeting Office 365 admins, the FTC's big Facebook fine, and the latest data breach statistics are all covered in this week's Friday Five.
1. Phishers Target Office 365 Admins with Fake Admin Alerts by Lawrence Abrams
Phishers have begun creating scams that target Office 365 admins with fake admin alerts about pressing issues, such as unauthorized access or problems with their mail service. When admins click on the links in these fake alert emails, they're redirected to a phishing landing page that prompts them to type in their Office 365 login credentials. If admins type in their credentials on the landing page, and they don't have two-factor authentication in place, phishers will be granted access to the Office 365 admin portal. Phishers are looking to gain access to an admin's account in order to create new email accounts under a company’s domain, send emails as other users, and read other users’ emails. Small businesses that don't have the funds to hire an IT admin are typically those affected by these types of phishing attacks.
2. Phishing attack: Students' personal information stolen in university data breach by Danny Palmer
On July 19, Lancaster University, a school in the U.K., realized that it had suffered a data breach. Hackers obtained unauthorized access to undergraduate application records for 2019 and 2020 and as a result, applicants' home and email addresses, phone numbers, and names were exposed. Hackers also stole ID documents from the university’s student record system and targeted a few undergraduate applicants with phishing emails that contained fraudulent invoices. Lancaster University created an incident response team to investigate the breach and reported the breach to the Information Commissioner's Office (ICO). Currently, the university is focusing on safeguarding its IT systems, as well as identifying and helping the students who were impacted by the breach. Every university should have an incident response plan in place; hackers have renewed their efforts at targeting schools for phishing attacks.
3. Criminals are using deepfakes to impersonate CEOs by Michael Grothaus
A still relatively new form of technology, "deepfakes," are becoming more popular among criminals looking to impersonate individuals and get access to valuable information. In “Deepfakes”, facial recognition and AI are used to create a nearly identical represenation of the real subject while by altering facial movements and what is being said. Anyone with access to the right software can produce a message seemingly spoken by whoever they want as long as there are pre-existing videos, podcasts or interviews that show a variety of expressions and language to assist AI. This is quickly becoming a security issue as criminals have the possibility of impersonating CEOs, celebrities or government officials and making them say whatever they please, helping criminals gain access to sensitive information. The possibilities for wrongdoing are vast and with limited tools to quickly detect if a voice or video is a deepfake, companies are on high alert to protect their employees and private data.
4. FTC fines Facebook $5B, adds limited oversight on privacy by Marcy Gordon
5. With Data Breach Costs, Time is Money by Jai Vijayan
One of the main findings from IBM’s annual data breach report, released this week, was that security teams that respond quickly after an attack can reduce costs from a breach by 25% or more. IBM worked with Ponemon Institute to analyze data from over 500 breaches and found that companies with a dedicated response team and plan saved $3.5 million dollars more on average compared to those who did not. The study also showed that companies with dedicated response teams can detect a breach 20% faster, in turn saving an average of $1.23 million dollars in damages. Time is money during a data breach, and the longer the company is exposed, the more money and valuable information is being lost. Having an efficient response team and a focus on rapid detection are critical in cutting down costs and ensuring that minimal damage is done in the short and long-term.