Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Smishing impossible or gone vishing: new campaigns do the trick for fraudsters
|It’s time to update the awareness training jargon buster: two new social engineering threats, vishing and smishing, have been rising. Vishing, also known as voice phishing or phone spearphishing, was the subject of a joint alert from the FBI and CISA. It works like this: attackers call victims using a faked official company or department number. Sometimes they pose as IT helpdesk staff to trick people into revealing their passwords or login details. Wired reported that this is the same technique attackers used to gain access to Twitter’s internal admin (see last month’s newsletter). More recently, scammers have gone after banks, cryptocurrency exchanges and web hosting providers. ZDNet linked the recent increase in these scams to the rise in remote working.
Meanwhile smishing (SMS-phishing) made headlines thanks partly to Liveline. Victims called the popular radio phone-in show to say they had received text messages supposedly from Bank of Ireland. The messages tricked people into thinking their credit cards were compromised, urging them to click a link to enter their account information. Not realising the texts were fake, they gave away bank details to scammers. In total, the fraudsters stole €800,000, reports said. Another smishing scam pretended to be from AIB bank. Similarly, the Department of Social Protection warned of bogus text messages containing links to pages that look similar to actual department websites.
ISO in isolation: certification challenges during Covid-19 restrictions
We’re still coming to grips with the many impacts Covid-19 has had on business. Last month, a software provider InfoSaaS claimed that “hundreds of thousands” of ISO certifications risked lapsing. It said this was because assessors couldn’t visit premises to carry out audits in person. InfoSaaS said the standards at risk of suspension included ISO 27001, which covers rigorous best practices for information security management systems, ISO 27017 and ISO 27018 (enhanced security control sets for cloud services).
A fine time to fall foul of data protection rules
Total publicly available GDPR penalties have exceeded €60 million in 2020 so far. Italy had the highest amount of fines with €45.6 million, while Spain had most violations (76 and counting). The most common reason for falling foul of the regulation was “insufficient legal basis for processing”. Those findings come from Finbold’s study of the penalties for not meeting GDPR rules, which it presented in graphical form.
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here