Currently, around 4.39 billion people worldwide are using the Internet. More and more data are being stored and exchanged online. In addition to names and (email) addresses, there are now also areas of interest, private images, and video material – as well as bank details – to be found on the Internet. Companies often place confidential company files, contract information, and customer data online in order to make them available to all employees who require access to these data.
Big Data: Valuable resources attract criminal activity
In 2019, the volume of data increased by almost 70 percent compared to the previous year. Every minute, for example, 55,140 images are uploaded to Instagram, around 4.5 million search queries are sent to Google, and 188 million emails are sent globally, according to the American software company Domo in its recently published info graphic “Data Never Sleeps 7.0”. Companies use this pool of data to display targeted advertising, acquire new customers, contact customers, and generate sales.
But the amount and increasing value of information also attracts criminals who misuse existing data to line their pockets through espionage, extortion, or the capture of bank data. Companies are the main target: There is a lot of data stored on companies’ internal servers that could be “taken” at once. Firewalls and virus filters already provide a resistant IT defense barrier. However, cyber criminals are constantly developing new methods to gain access to the valuable digital resources.
Attack vector digital communication
Approximately 293.6 billion private and business emails are received and sent every day. According to one forecast, this number will continue to rise by around 19 percent until 2023. In companies, email has established itself as a main communication channel. Employees prefer to exchange email messages with business partners and customers and also use them for internal communication. Documents such as invoices, applications, and company documents are sent quickly via email in order to avoid long waiting times for a response and to contact the recipient directly. So, it is not surprising that cyber criminals use email as the main gateway for the infiltration of malware. Every day, employees receive a few dozen messages – a deceptively authentic-looking fake email with malicious intentions can potentially cause immense damage if it gets into the recipient’s mailbox.
Emails enable highly efficient communication, but they also offer a global attack vector: in the old days, the intercepting or reading of a letter required physical access. An email can be accessed, read, modified, or deleted by anyone with the necessary technical background knowledge. The physical barrier disappears – all parties are virtually faceless. Knowing who exactly is behind an email message can only be identified by certain elements of the email, which cyber criminals are knowledgeable about. Nowadays, these are replicated in such a professional manner that fraud cannot be detected at first glance. An additional security layer is therefore highly recommended.
In order to get into a company’s system via email, hackers use various methods: In a simple email message, they tempt the recipient to open attached malicious documents and execute macros or click on hyperlinks. This enables malware to be downloaded and executed and – just like that! – the computer system is infected. Malware such as banking Trojans, espionage software, and encryption programs aim to copy, steal, or encode data and manipulate business processes. Above all, Ransomware is one of the most prominent hacker instruments: The Norwegian international aluminum producer Norsk Hydro and the German plant manufacturer Krauss Maffei, for example, were affected by this type of blackmailing software. As a result of the encryption of important files, operating processes were slowed down or even stopped for several weeks, which led to significant losses.
In early and mid 2019, the US authorities of Atlanta, Baltimore, and Riviera Beach were victims of hacker attacks. In each case, the city administration was unable to carry out its work for several days to weeks respectively, resulting in damages running into millions – also due to the encrypted files. In addition, cyber crime groups are increasingly targeting electric utilities and even hospitals. Critical infrastructures play an important role for the public good, they are the Achilles’ heel of society. The effects of a cyber attack on these infrastructures therefore have a great influence on the lives of the population. As a result, critical infrastructures are becoming more and more of a focus for cyber crime.
When a person is under great stress, rational decisions are almost impossible, and actions tend to be based on emotional responses. Especially under time pressure, wrong decisions are often made – another attack method is based exactly on exploiting this behavior. When communicating via digital platforms, users have to trust that a message originates from the person who is displayed as the sender in an email header. In a business email compromise, a hacker focuses specifically on the human vulnerability: the cyber criminal creates an email address that is similar to the original email address of a CEO, customer, or employee of a company. When a fake message arrives in an employee’s mailbox, the display name is shown exactly as if the email had actually been sent by the person being impersonated.
The recipient is put under emotional and time pressure: The hacker pretends to be a supervisor, an important customer, or even the CEO, and addresses the employee with urgent instructions. A transfer of money must be made as soon as possible, but it is not possible to contact the “CEO” by phone, as he is currently in an important meeting. This scam has already generated large profits for cyber criminals. The CFO of the international automotive supplier Leoni transferred 40 million Euros to someone else’s account due to an email from a hacker who pretended to be an important client. The Chinese-Austrian aircraft supplier FACC was cheated of around 50 million Euros, and at the beginning of 2018 the film production company Pathé became a victim of the business email compromise, losing about 19 million Euros.
According to the current Internet Crime Report of the FBI, the business email compromise is responsible for a large proportion of the worldwide financial losses caused by cyber crime. The criminals use emotional “hacks”, and digital communication gives them an advantage against IT amateurs. If there is no training undertaken to sensitize staff about which aspects of an email have to be considered in order to find out whether it actually originates from the displayed sender, the threat situation will continue or even increase.
Security enables successful digitalization
Cases of identity theft, emotional and financial blackmail, as well as the unnoticed tapping of access and credit card data give security a new significance in digital communication. Every day, we reveal information via a wide variety of communication channels – important data that cyber criminals could use for their own purposes in order to carry out their attacks even more efficiently.
Any contact with the Internet can turn out to be a vulnerability. This makes it more important to not only encrypt the communication channels – for example via TLS – but also the communication content via S/MIME or PGP, as well as the information itself where it is stored. Digital exchange and availability of information and data will become more and more relevant in companies, in private use, and for governmental institutions, and it will become the top priority in the future. As the increasing incidence of cyber crime illustrates, security aspects have not played a major role in the topic of digitalization so far.
According to the current Global Risk Report of the World Economic Forum, cyber attacks and digital data theft have been among the greatest global risks for three years in a row. We finally need to learn that, with all the freedom and dynamism that the digitalization of communications allows us, protection is the prerequisite for the continued success of the digital world. If companies, institutions, and authorities do not take this seriously, the consequences of cyber crime will continue to increase in the future, potentially causing greater damage that will also affect our analog lives.
As Creative Writer, Hannah Kreyenberg is responsible for the editorial department at Hornetsecurity since 2018. Topics about email security, cyber attacks and the influences of growing cyber crime are part of her daily work. In her position, she is in charge of writing blog posts, press releases, and product texts.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.