Social networking giant Twitter recently suffered a criminal hack that compromised the accounts of some of its most high-profile users, including celebrities, world leaders and corporate giants like Elon Musk, Kanye West, Bill Gates, Joe Biden, and Barack Obama.
Twitter announced on July 17 that 130 accounts were targeted in the attack. Hackers managed to reset the passwords on 45 of those accounts, and, for up to eight of the accounts, the attackers also downloaded the account’s information through the “Your Twitter Data” tool. It is believed the hackers gained access to Twitter’s system via a sophisticated social engineering attack. They then posted tweets from the accounts of the high-profile individuals, offering to send $2,000 for every $1,000 sent to an anonymous Bitcoin address. Initial estimates suggest the hackers gained more than $100,000 from the scam.
The attack against Twitter highlights a very pressing concern to arise from the ongoing COVID-19 crisis, which is that pandemic-induced remote working has created “new avenues for criminals to use in their attacks,” as put by Darren Thomson, head of cybersecurity strategy for CyberCube, who explained that “the Twitter employees whose accounts were compromised were working from home, where it may have been easier for criminals to manipulate their targets.” He added that COVID-19, combined with hackers’ advanced social engineering techniques “poses a growing threat.”
Global property & casualty insurer Chubb recently published the results of a survey entitled ‘Resilient, Committed, Engaged and Worried: The Experiences and Risks of Americans Working from Home During COVID–19’. While the survey polled only Americans, the results are universally significant in showing that consumers are less concerned about cybersecurity when working from home than perhaps they should be.
Despite warnings from cybersecurity experts about the elevated risks of cyberattacks in the remote working environment, only 46% of respondents to the Chubb survey expressed concern about their cybersecurity while using tools to work remotely, and nearly half (49%) said they regularly or sometimes conduct business on personal devices or their personal email account.
“We’re seeing an uptick of issues coming out of the remote work environment,” said Greg Markell (pictured below), president and CEO of Ridge Canada Cyber Solutions. “The threat actors haven’t taken a holiday. In fact, there’s never been more stress put on company networks. I take my hat off to the IT and security teams for the countless hours they’re spending on making sure their networks are functioning properly and their people understand the risks that are out there. Something we’ve seen, which is really positive, is that a lot of Canadian companies have been inquiring more about cyber security training for their employees.”
Despite this extra effort in the cybersecurity training department, the majority of cyber claims today still revolve around some form of human error, whether that’s clicking on a malicious link in a phishing email or falling for social engineering fraud via business email compromise (BEC). That’s partly because, as CyberCube’s Darren Thompson put it, hackers’ social engineering techniques keep getting more “advanced”.
“Lots of these phishing attacks are very sophisticated,” Markell added. “Look at Microsoft’s Patch Tuesday in May 2020. Within 24 hours, there were already BEC and phishing campaigns sent out that looked identical to the Microsoft password updates. The threat actors know when things are coming, so it’s important for businesses and their employees to be aware and be conscious of it.”
Awareness and education are critical when it comes to detecting and avoiding social engineering attacks. Paige Schaffer (pictured above), CEO of Global Identity and Cyber Protection Services for Generali Global Assistance, said there are “two key red flags” that she recommends consumers look out for to “avoid falling victim to phishing schemes on any platform, including Twitter, email, or text.”
“First: when you see an exciting time-sensitive offer, like in the hacked [Twitter] posts, take a moment to read the text carefully as you’ll probably notice some grammar and spelling issues, which is a common red flag to look out for when you suspect a possible phishing scam,” she said. “Second: generally, any type of offer that involves providing some initial funding in order to secure a large return at a later time is almost always a scam, especially when combined with an ‘urgent’ call to action.”