Why cyber-experts say scammers are shifting focus from work accounts to personal ones — as avenue to businesses’ information

The message from cybersecurity professionals hasn’t diverged over the years from the usual caution that cunning criminals are finding new ways to lure people into scams.

This time, they’re saying it in a new disposition.

Scammers are adopting new tactics, sure. But it’s something of a compliment to the efforts of companies and other organizations — because they’re forcing them to find new approaches.

Seth Danberry. (Grid32)

Seth Danberry, co-founder and president of Grid32, said that, through software protections and simulated cyberattack training such as what his cybersecurity company offers, organizations are proving better prepared against traditional email-based scams.

“So, what we’re starting to see is movement toward other mediums that aren’t part of a company’s ability to police,” he said. “Attackers are figuring out ways to gain a foothold on something like an employee’s private Facebook page.”

The bottom line? Companies have done well to monitor what they can. But attackers are now trying to target what can’t be monitored, Danberry said.

Grid32 is one of the many cybersecurity companies that businesses rely on today to test their readiness for attacks on their systems. That includes assessing how prepared their employees and vendors are for phishing, which is an attempt to steal login credentials through fraudulent links.

The Newark-based firm conducts that testing through email, phone and text message simulations. Danberry said what it can’t do is simulate what an attack on someone’s private social media account might look like, even when it’s meant to lead back to that person’s place of employment.

“That’s something the company just can’t engineer, because it gets outside the lines of what’s ethical and what they can authorize,” he said.

Scott Schober. (Berkeley Varitronics Systems Inc.)

Scott Schober, CEO and president of Metuchen-based Berkeley Varitronics Systems Inc., described the overall cyberthreat landscape as, unsurprisingly, evolving. The numbers point to an overall drop in the volume of ransomware attacks, he said.

“And that’s in large part due to people getting smarter; they’re more suspicious about clicking on phishing links,” he said. “So, if there’s less people falling for these attacks, where are they migrating to? Well, they’ve concentrated largely on the smartphone and other avenues.”

With better email scam training and software filtering out different strains of attacks before they arrive in inboxes, personal cell phone devices have become the new hacker rallying point. As one indication of that, phishing text messages reported to the Federal Communications Commission increased three-fold between 2019 and 2022.

The pandemic was a contributing factor. Schober notes that remote work has people relying much more often on their smartphones or other personal devices to access a company’s systems.

“Cybercriminals know this,” he said. “So, they’re starting to really try to change it up to get people to compromise information, as we’ve all become so accustomed to using our own devices.”

The nature of attacks doesn’t differ significantly from what was done more often through email in the past. Attackers are impersonating company executives or colleagues. Their end goal is to hijack access to the network of a business, finesse their way into a disclosure of protected company information or steal away wire-transferred funds.

“The most common technique starts with gaining a user’s trust,” Danberry said. “You see it on LinkedIn a lot, but it can be any platform: Facebook, Twitter or Instagram. Once there’s that trust, there’s an attempt to pry some sort of company information … or get them to login with a link to verify credentials based on some urgent situation.”

Even if the attacks bear strong similarities to email frauds, Danberry said they’re not always as obvious ploys when coming through avenues such as private social media accounts. Companies can’t police those channels, Danberry said, but they can do better to educate employees about it.

Now’s not the time for feeling overly content, he added.

“As technical email defenses get better, I’ve seen companies get a little lax in their initiatives to train users,” Danberry said. “Or the employees themselves start thinking, ‘OK, here’s that annual phishing training again.’ Maybe it’s getting dry, and they’re not paying attention as much.

“That’s created a bit of a window for attackers. It’s something to watch for.”

AI and cybercrime

It’s possible that the time of the hacker’s classic email fraud strategy is over. It’s also possible, given the latest artificial intelligence advances, that it’s just getting started.

Reporting in from the California-hosted RSA Conference, an annual information technology security event that draws a global audience, New Jersey cybersecurity expert Scott Schober said this year’s buzz is all about AI systems such as ChatGPT and how hackers are using it to make email-based social engineering attacks more effective.

The expectation that hackers could use these tools to not just help program exploits, but also learn behaviors of potential targets at a very granular level to better fool them certainly warrants some buzz, Schober said.

“When you have AI capable of learning human behavior and our weaknesses, that’s where it becomes extremely powerful,” he said. “The use of AI in cyberattacks is going to be successful in the years to come. It will be difficult to counter.”

The best weapon against AI? Cybersecurity experts expect it to be … AI.

Seth Danberry, co-founder and president of Newark-based cybersecurity company Grid32, said that, while these new platforms will be used to improve attacks as well as automate them by hackers, the security side is interested in leveraging it, too. That might involve thwarting attacks with automatic detection of repetitive patterns characteristic of a hack attempt.

“It’s still relatively early, so we haven’t seen exactly how these platforms will be used,” he said. “But, there’s also a lot of room to discover where our side can best and most efficiently use them as well to defend against these new tactics.”

Schober said it’s going to be a race on both sides.

“But, to be honest, that scares me,” he said. “Because, as the good guys, we’re usually behind what’s being embraced by the cybercriminals. I liken it to playing whack-a-mole: As fast as you try to react, something else pops up.”