Bogus claims of cybersecurity incidents used to launch cybersecurity attacks
It’s bad enough when you are the victim of a ransomware attack and you get an email saying you’ve been hacked and you need to pay up or else. Now threat actors have a new phishing scheme – telling you that you have been hacked (when you haven’t), and using your response as a method to attack. It is like the fabled boy who cried wolf – except that when you respond, he actually purposefully releases the wolf.
While the scheme is somewhat new, it relies on the same old tried and true phishing techniques:
- Engineered legitimacy. A bit of truth amongst a sea of garbage will go a long way to convince a victim.
- Social pressure. Threats of repetitional harm or other non-direct damages.
- Asymmetrical financial offer. The cost to pay is often much less than the perceived total cost – both direct financial costs and the indirect costs alluded to by the social pressure.
Don’t fall victim! Stop, take a breath, and have your IT folks fully investigate any claims before responding. Doing so may prevent you from actually becoming a victim.
Cybercrime that involves social engineering exists in many forms. One such scam, which we call Phantom Incident Extortion, evolved from consumer sextortion emails and has moved up to the enterprise world. By tracking these scams over time, some very obvious patterns emerge that can help prevent new targets from falling victim….
View referenced article
We call these scams phantom incidents, as their success depends on convincing the target that an illegitimate (i.e. phantom) incident has occurred or will occur, and the only way to prevent its impact is to pay….