Cybercriminals aren’t looking to play fair against businesses. They don’t care how big or small you are, they don’t care about what services you provide, or what good you offer for the community. You could be a children’s hospital or a single mother selling homemade mittens out of your dining room, you could be a school, an assisted living facility, or a Fortune 500. Either way, your organization is an equally viable target for cybercriminals.

Thanks to innovations in IT security solutions, and in response to the abhorrent cybersecurity hygiene from the average professional, cybercriminals have determined that it is much more effective to utilize lower-tech scams and social tactics as opposed to more complicated “hacking.” The average cybercriminal isn’t developing viruses or malware, but instead utilize common exploits, purchasable software, and social engineering. Let’s take a look at some of the latest tactics being used.

Invoice Fraud

An attacker can easily slip into your inbox, pretending to be one of your vendors by using simple email spoofing methods. These days, it usually isn’t difficult to find out what vendors a business might have, and a lot of times, it seems like the cybercriminals are just taking potshots and having a pretty good success rate. 

For instance, if your domain name is registered through, say, GoDaddy, that’s typically public knowledge. A cybercriminal could easily put together an official-looking email that appears to be from GoDaddy, stating that your domain renewal or hosting is overdue. They can provide a fake link to a fake payment page that looks and feels like it belongs to GoDaddy, and trick you out of your money or worse, your actual GoDaddy credentials. At that point, they can do all kinds of damage to your website, or sneak in quietly and do harm as your business.

You’re the Bad Guy Now

In the situation above, cybercriminals could take over your domain name and website, and send emails from your company, manipulate your website, and a whole lot more. That’s a scary situation, but they don’t even need to go that far to impersonate you effectively and hurt your reputation. If your email solution isn’t set up properly, it could be embarrassingly easy for a cybercriminal to spoof emails that look like yours. On top of that, when users have weak passwords and don’t use multi-factor authentication, their email inboxes could be compromised as well.

Cybercriminals look for opportunities to mimic legitimate organizations because it’s much easier to trick someone into trusting you when they already work with you. This can do massive harm to an organization’s reputation and damage relationships with clients and prospects.

Microsoft Teams (And Other Communication Tools) are Potential Threat Vectors

While apps like Microsoft Teams, Skype for Business, Slack, Zoom, and Discord are designed with good intentions, it doesn’t mean that clever cybercriminals can’t exploit them. Back in September, cybersecurity firm Truesec announced that they were investigating a cybercriminal campaign that used Microsoft Teams to distribute phishing messages and malware-infected attachments. This wasn’t the first case of Microsoft Teams being used for cyberattacks, as there was a major compromise back in 2020 where over 18,000 SolarWinds customers had malware distributed to them through a software update, and the initial attack is believed to have begun with a Teams message.

It’s not that Microsoft Teams or these other applications are inherently insecure, but bad actors will use them as an avenue for tricking people into clicking on things they shouldn’t.

Social Media is Riddled with Scams (And Some of them are Hard to Catch)

If you are reading our blog, you are probably not the kind of person to fall for some of the more common social media scams out there, so when we say “Facebook is riddled with scam artists and misinformation” you’d probably want to skip that paragraph. With that said, bear with us.

Cybercriminals are taking advantage of how convoluted Facebook and Meta are to use as a business. These scams change and evolve all the time to keep users on their toes, but we’ve been seeing more and more businesses get hit with fake messages pretending to be Facebook support, Meta support, or some other “authority” on a social media platform attempting to warn you about something wrong you’ve done on your account. They’ll usually make it seem urgent, telling you that your page has violated community guidelines or that your account is being banned, and to repeal it, you need to click a link that either tricks you into handing over your security credentials, grants access to your page to a third party, or simply infects your network with malware.

November 15, 2023
Shawn Kramer