The hyper-personalisation of scams

Alex Laurie at Ping Identity explores a worrying trend that businesses must look out for

 

The constant evolution of the cyber-threat landscape is nothing new to those trying to protect themselves and their businesses. Yet, while change is a constant in the cyber-security space, threat actors have been able to get further ahead in the last few years thanks to the proliferation of innovative technologies and techniques.

 

With malicious actors firmly having the upper hand, we’re likely to see another big shift in the way they work. I predict this to involve the improved sophistication and hyper-personalisation of scams – cyber-criminals will focus less on trying to scam tens of millions of people at once, instead pivoting to smaller, targeted groups more successfully.

 

But who is at risk and how can people and businesses protect against evolving threat actors? We will discuss these questions in more detail in this piece.

 

Who is at risk and what to look out for?

Although the nature of hyper-personalised attacks means more targeted groups are under threat, everyone is at risk. While most are aware of the more common scams we have seen over the years – the Nigerian Prince or the ‘click here for a reimbursement’ messages – times are changing. Being able to spot and thwart obvious scamming attempts is no longer enough.

 

With the ability to find and purchase data on millions of people, threat actors are using this information to personalise phishing and vishing scams. Their ability to thoroughly know the people they target, through the vast amount of identity information online, means they are becoming more successful too.                

 

One example of where this tactic is working is in extortion attacks. Cyber-criminals are using personal information – such as email addresses and passwords – to scam people into thinking their accounts have been hacked. Using the password as ‘proof’ of this hack, they then claim to have access to embarrassing information found on a device and threaten to share it with friends, families and workplaces unless an extortion fee is paid.

 

The catch? These scammers don’t always have access to the information they say they do. But their fees get paid anyway because they prey on people’s fear.

 

This is just one example where adapted scamming techniques targeting a specific group of people – in this case, those whose personal data the scammer has access to – is working. This is backed up by findings from a report which found the value of reported fraud in the UK increased to £2.3 billion last year, more than double the total recorded in 2022. Despite this, the true level of fraud is likely to be significantly higher as many don’t report incidents.

 

This is worrying for businesses, especially those with large workforces and access to a lot of money as they are most at risk of being targeted by hyper-personalised scams.

 

Whether it’s trying to defraud a company’s finance department – as per the case with Arup, which handed over $25.6 million over 15 transactions to fraudsters behind a deepfake scam – or trying to embarrass or discount the trust of a CEO, organisations are at huge monetary and reputational risk. As such, they need to take protective measures now to ensure they don’t fall foul to this trend.

 

How to protect yourself

What should organisations be doing to protect themselves against hyper-personalised scams? It starts with company-wide cyber-security training. Employees at all levels, across all job functions need to be aware of the kinds of threats they can fall victim to as a first line of defence. Teams need to know, if an email or call seems highly urgent or if someone is demanding payment or wants you to share money using an untraceable currency like bitcoin – be suspicious.

 

As a secondary step to this, as new fraud/scam trends emerge, it is vital security teams examine their fraud and cyber-security solutions to better understand, prevent and protect against them. The best way to do this is by creating a culture of secure identity through the implementation of preventative measures like multi-factor or adaptive authentication. Doing this will strengthen the protection of an organisation’s networks and data should a scammer get into a system.

 

With a new wave of scams on the horizon, it’s more vital than ever for organisations to take steps to protect themselves and their workforces before it is too late.

 

---

 

Alex Laurie is SVP at Ping Identity

 

Main image courtesy of iStockPhoto.com and Visions