Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Smishing impossible or gone vishing: new campaigns do the trick for fraudsters

It’s time to update the awareness training jargon buster: two new social engineering threats, vishing and smishing, have been rising. Vishing, also known as voice phishing or phone spearphishing, was the subject of a joint alert from the FBI and CISA. It works like this: attackers call victims using a faked official company or department number. Sometimes they pose as IT helpdesk staff to trick people into revealing their passwords or login details. Wired reported that this is the same technique attackers used to gain access to Twitter’s internal admin (see last month’s newsletter). More recently, scammers have gone after banks, cryptocurrency exchanges and web hosting providers. ZDNet linked the recent increase in these scams to the rise in remote working. 

Meanwhile smishing (SMS-phishing) made headlines thanks partly to Liveline. Victims called the popular radio phone-in show to say they had received text messages supposedly from Bank of Ireland. The messages tricked people into thinking their credit cards were compromised, urging them to click a link to enter their account information. Not realising the texts were fake, they gave away bank details to scammers. In total, the fraudsters stole €800,000, reports said. Another smishing scam pretended to be from AIB bank. Similarly, the Department of Social Protection warned of bogus text messages containing links to pages that look similar to actual department websites.

ISO in isolation: certification challenges during Covid-19 restrictions

We’re still coming to grips with the many impacts Covid-19 has had on business. Last month, a software provider InfoSaaS claimed that “hundreds of thousands” of ISO certifications risked lapsing. It said this was because assessors couldn’t visit premises to carry out audits in person. InfoSaaS said the standards at risk of suspension included ISO 27001, which covers rigorous best practices for information security management systems, ISO 27017 and ISO 27018 (enhanced security control sets for cloud services). 

In a follow-up article, InfoSecurity played down the fears. It quoted BH Consulting CEO Brian Honan, who said he had not seen any reduction in surveillance audits or certification audits among his global client base. However he said the move to remote audits bring interesting challenges around presenting evidence and auditing the physical domain of the standard. “However, good planning and preparation on behalf of the auditor and those being audited can overcome these issues,” he said. Brian warned against companies letting their certification lapse because of financial difficulties or cost savings. “Being no longer certified to ISO 27001 may give those outside the organization the impression that the company is less secure than before.”

A fine time to fall foul of data protection rules

Total publicly available GDPR penalties have exceeded €60 million in 2020 so far. Italy had the highest amount of fines with €45.6 million, while Spain had most violations (76 and counting). The most common reason for falling foul of the regulation was “insufficient legal basis for processing”. Those findings come from Finbold’s study of the penalties for not meeting GDPR rules, which it presented in graphical form. 
 
Italy’s total was much higher than any other country, yet it accounted for just 13 fines. Sweden was next, having issued €7.03 million in fines against four offenders, followed by the Netherlands (€2.08 million, three offenders) and Spain (€1.95 million, 76 offenders). Ireland ranked tenth by fines levied, having issued €115,000 in penalties against two organisations. Finbold sourced the data from the GDPR Enforcement Tracker. This database is continually updated but only records publicly available fines.

Links we liked

From Trend Micro, an investigation into hacker infrastructure and hosting. MORE and MORE 

This eye-catching graphic looks at what makes passwords weak or strong. MORE

An EU funding call has €10.5 million available for telecom cybersecurity projects. MORE
 
Surviving a ransomware attack without paying the ransom, the Norsk Hydro way. MORE

An update on the ‘Lost Summer’ skills initiative, as covered in a previous newsletter. MORE

A technical deep-dive into the Netwalker ransomware. MORE

Grand designs: hackers hijacked a design site to build more convincing phishing mails. MORE

Mobile devices share your location data, but you can do something about it. MORE

Criminals are using so-called ‘white SIMs’ to mimic any mobile number. MORE

How to speed up your decision making while mitigating risk. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here