The list of cyberattack vectors is endless. Every day, vulnerabilities are discovered in computer networks, workstations, mobile devices and applications. New phishing and social engineering attacks are attempted and sometimes stopped, but often not.
I’ve coined it the “cybersecurity shell game.” Remember that age-old game of cups? Out of many, there’d be one cup that contained a shell. It only took one correct guess to identify which cup contained it.
Bad actors like to play with odds. They know that the more cup-containing shells they present, the more likely a person is to be caught off guard and fall for the scam.
This constant “shell game” of different attacks is today’s reality.
To protect your firm and reduce your risk, you must:
- Be aware of these threats.
- Proactively provide your personnel with cybersecurity education.
- Use your cybersecurity resources.
Awareness is the first step
The vast majority of cyber thieves are looking for the most efficient way to compromise their targets with the least amount of work. They look for the easy “marks,” or vulnerabilities, such as:
- Unpatched applications and equipment.
- A person—maybe uneducated in common cyber trickery—who’ll click on a convincing link or download a compromised file.
Phishing emails are commonly cited as the most effective way to invoke ransomware. However, are you aware that texting, voicemail and even QR codes can now compromise end users?
Most people recognize common red flags, like when something unexpected is emailed to you or when you notice a sender’s email address is wrong. What about the latest cyberattack vectors? Are you and your people trained about what to do if you receive a resume or tax document attachment?
Hackers constantly change their cybersecurity attack vectors, so it’s important you stay on your toes. Be aware of what’s under all the cups—not just those getting today’s headlines.
Six shells: Common types of cyberattack vectors
I’ve summarized six types of attacks below. Not only the latest AI-driven ones, but also some old-school attacks that are making a comeback.
No. 1: Phishing, smishing, vishing and quishing
Virtually every firm provides phishing training, but when was the last time you learned about spotting smishing, vishing or quishing?
- Smishing, or SMS phishing, gets more difficult to spot every day. Long gone are the days of obvious misspellings and bad grammar. AI has made it easier for hackers to compose seemingly legitimate text messages. Never click on a link that’s texted to you unless it’s from a trusted party and you’re expecting it. Even then, it’s safer to verify with the sender through another means than what was used in the original communication.
- Vishing, or voice-phishing, is done using canned messages or with the help of AI. The latest AI tools can emulate an individual’s voice in real time. You’ll think you’re actually talking to a coworker or listening to their voicemail when, in reality, it’s a bad actor instructing you to change their direct deposit accounting number.
- Quishing, or phishing initiated via QR code, is also becoming more popular. In these cases, the hacker will trick you into downloading something from a compromised lookalike site. To be safe, go directly to the real site to view the menu, information, etc.
Stay secure with a secondary user verification method. (If you get an email, call the user on the phone; if you receive a phone call, call the person back on a different line.) And never—ever—make any financial changes or provide PII (personal identifiable information) without first confirming a user’s identity.
No. 2: Equipment zero-day vulnerabilities
The Zero Day Initiative, a research team dedicated to identifying zero-day vulnerabilities, discovered 1,558 known equipment and application vulnerabilities between January 1 to October 17, 2023.
A zero-day vulnerability is a flaw in a piece of software that is unknown to the programmer or vendor responsible for the application. Because the vulnerability is unknown, there’s no patch available.
To avoid becoming a victim of one of these exploits, monitor for network and equipment updates, then load them immediately (before hackers have a chance to use them against you).
No. 3: Mobile devices
Most firms allow individuals to connect to the firm’s email, contacts, calendar, apps, etc., on their personal smartphone or tablet. Hackers know that if they can get personnel to download an app or click on a link, they can use the compromised mobile device to get access to the firm’s network resources.
Avoid a zero-day exploit via device by ensuring anything connected to your network is authorized and has the latest security patches and antivirus software.
No. 4: USB flash drives
Flash drives infected with malware are making the rounds again, so it is imperative to remind your staff to never plug one into a firm computer that you have not had 100% control of (i.e., if you find a USB in the parking lot, or you receive one in the mail, don’t plug it into your computer).
No. 5: Workstation apps
Microsoft Windows, web browsers (Chrome, Edge, etc.) and security applications, among every other type of software, are compromisable. The best way for you to protect your firm? Issue updates and patches immediately. (Hackers love to follow Microsoft’s famous “Patch Tuesday” with “Exploit Wednesday.”)
No. 6: Antivirus and malware
Are you making sure that devices connecting to your network have the latest antivirus and malware patches loaded? Old school macro viruses embedded in documents can trick newer staff that don’t remember the threats of two decades ago.
Get 22 tips to protect your firm
Addressing the cyber shell game takes diligence and persistence.
For more tips on how to proactively secure your firm from the broadest range of attacks, watch our webinar: Cyberstealth: 22 moves to hide your firm from cyber thieves.