Viruses and malware are bad. Ransomware is crippling. Data breaches in some cases can more or less shut down a business. We talk about these threats all the time, but for most people, they are just scary-sounding buzzwords. Today, we want to talk about the more personalized threats that are much more cunning, and in some ways, much more dangerous.
What do you picture when you think of a cybercriminal? Is it some dark, mysterious person cloaked in shadows and a black hooded sweatshirt? Are they a nerdy, unshowered basement dweller with a penchant for anarchy? Hollywood has given us a few generic stereotypes for hackers and cybercriminals, but the reality is that most threats and attacks come from organized groups that treat themselves as businesses.
That’s right, businesses that strive to be efficient. Businesses that strive to increase their revenue. Businesses that are innovating and adjusting their methods to get the highest possible gains. It’s not just a weird little creep in a dark bedroom sitting at their computer hacking the mainframe, it’s groups of people constantly refining their abilities, delegating tasks, and making decisions based on key performance indicators, just like any other competitive business.
There’s a darker side that has been revealed over the last few years too. Some of these businesses aren’t just committing digital crimes—I mean, if you are going to commit unlawful, immoral acts, why stop with just one? Some criminal organizations that have been caught scamming and performing acts of cybercrime were also found to be associated with human trafficking rings.
This means if you, as a business, fall for a ransomware attack or some other type of threat that ends up benefiting the cybercriminals, you might also be fueling a slew of acts that are much darker.
And there is money to be made in cybercrime. Globally, it nets criminals $1.5 trillion every year, and that number keeps going up. Ransomware payments alone reach past a billion dollars, despite organizations always being advised not to pay the ransom. This is an industry, one that profits off of your pain.
Even to a technical person, the layers of complexity on most cyberattacks are difficult to piece together, but that’s sort of how organized crime has to work. You can’t steal the Crown Jewels and then put them on eBay the next day and expect to get away scot-free. Cyber threats have always been about the long game. Those old viruses and other threats that would clog up computers if you didn’t have antivirus weren’t usually earning the bad guys money, but if enough infected computers could be controlled as a botnet to extort a legitimate business or a web host, suddenly you’ve got something worth a lot of money to the wrong people.
Even ransomware, although it feels like a very personal attack, is usually a numbers game—a campaign that is constantly refined and redeployed, and perfected until it has the highest success rate possible. It’s more or less just marketing.
We see a lot of attempted phishing attacks and other online scams, and most of the time, they are pretty obvious. For instance, I don’t think anyone I know is going to fall for the classic Nigerian Prince scam, where someone emails you out of the blue looking for a kind soul to help them recover millions of dollars, and in return will share the profits with you.
But modern phishing attacks and scams are much more notorious and much sneakier.
It’s starting to feel less like it’s a numbers game, and much more personal:
The point is, as a business owner, as an employee, and just as a person that has a digital footprint, you have to be vigilant and skeptical of everything you see that you didn’t expect. Every email, every message, every call, every text. The bad guys know that technology is making their traditional means harder, so they are going to rely on social engineering to get through the gate.