Scam Awareness Week: Commentary from Fujitsu UK and Ping Identity
July 2023 by Fujitsu UK and Ping Identity
With this week marking the second Scam Awareness Week for 2023, run by Citizens Advice, the comments from Rob Otto, EMEA CTO at Ping Identity and David Markham, Head of Threat Intelligence & Development at Fujitsu UK about the emerging threats facing organisations and how CISOs and their teams can stay ahead of the increasingly complex attack landscape.
Organisations of all sizes cannot afford to ignore the need to fight back against scams, as the volume of threats to organisations is higher than it’s ever been. In fact, attacks like phishing scams can pose a serious challenge and are only becoming more prevalent – if successful, the effects can be devastating long-term.
Comment from Rob Otto, EMEA CTO at Ping Identity
“Ransomware attacks, phishing and bots are all gaining sophistication and taking a serious financial toll on businesses. While the motive is often financial, an even bigger concern is what is happening to the proceeds of those scams: are they being used to fund something more sinister? How can businesses keep ahead of the next threat? These types of scenarios are rightfully keeping business leaders awake at night.
“To stay ahead of threats, they should be seriously investigating how to prevent and protect against such scams. For example, being able to block attacks as they happen and allow legitimate users, including executives, to authenticate themselves through proper security measures is vital. But security doesn’t mean it has to be cumbersome and difficult - in fact, the opposite is the goal. Processes like applying dynamic learning to user behaviour makes it easy to differentiate normal and abnormal authentication requests; something which is especially critical for executives who, due to their access privileges, are increasingly targets for techniques like phishing or AI impersonation. Dynamic learning, risk signals and more can strengthen security while keeping the digital experience seamless.”
Comment from David Markham, Head of Threat Intelligence & Development at Fujitsu UK
“Being aware of scam threats and the different types that exist is essential to safeguarding ones’ business – no matter the size. Within Fujitsu, we’ve seen malicious or unwanted emails targeting our own customer email gateways make up half of all incoming messages – a leap from 20% since Q4 last year. The majority aim to harvest credentials and tend to originate from advanced dynamic phishing kits specifically designed to distribute mass emails from different addresses and IP addresses to evade security controls. These tend to closely mimic official emails and can be indistinguishable to end-users.
“We’ve also seen a marked uptick in hybrid social engineering techniques such as call-back phishing, which have gone up as much as five-fold. These often employ high levels of sophistication, impersonating legitimate services and deploying fake call centre ‘advisors’ who are well-versed in social engineering. Also, while we’ve seen an overall reduction in the number of emails attempting to directly deliver malware as attachments, we have seen threat actors moving towards more cunning methods, like housing malicious web links in attachments that point to legitimate file sharing services to make them look safe.
“Going forward, we expect to see the use of dynamic phishing kits supported by artificial intelligence (AI). Generative AI would allow for the easy creation of phishing emails and polymorphic malwares without the typical level of expertise needed. However, AI could also be the solution and organisations need to take advantage of it to better detect, respond and stay ahead of emerging threats and the bad actors behind them.”