Kike heaves a sigh as she settles into her workstation in the London branch of the company she’s worked with over the past three years. Monday morning traffic had her late, dishevelled, cursing under her breath, and missing the city of Lagos, where she had flown in from two nights before.
Almost immediately, she smiled at how misguided the feeling was, because regardless of how frustrated she felt with the London traffic, it was nothing compared to the madness that was Nigeria’s biggest city at the start of a new week.
With barely twelve minutes to spare until her presentation to the London team on the progress she had made since taking over leadership of the company’s business development unit in Nigeria, she quickly opened her laptop, connected to the corporate network, and started skimming through her presentation. Three slides in and the familiar chime of her email notification disrupted her flow.
Before she could dismiss it as a work mail to attend to after her meeting, she noticed it was from her son’s school.
Feeling a quick sense of panic as the school had a policy of only sending emails in emergency situations, where attempts to reach parents via phone calls had proven unsuccessful, she hurriedly read through the email.
From: Claire Umukoro
To: Kike Browne
Subject: Urgent! Concerning Your Son, Jonathan
Hello Mrs Browne,
We have tried unsuccessfully to get through to you or your husband, Mr Dayo Browne, hence this email. There is a Mr. John Nwoke seated in my office now who says he has been instructed to pick up Jonathan from school due to a family emergency. Click here to view a picture of this individual and give us a call to confirm his identity.
We are taking this step as part of our policy to not hand over students to unauthorised persons without direct confirmation from at least one parent of the child. If you have any questions, please get in touch with us.
Who was John? Why was Dayo unreachable? What was going on?
These were the questions racing through her mind as she clicked on the link to get a look at this strange person trying to claim her child and, at that moment, she inadvertently created an entry point for hackers who had been meticulously targeting the company.
This is what Kike did not know: you should always consider the source of an email (especially unexpected ones) and scrutinise the address it says it came from. And it is vital to think twice, even thrice, before clicking on any link or downloading an attachment, no matter how innocuous they seem or who appears to have sent them.
But, this is what the hackers knew: details of her trip and presentation to the team based off a LinkedIn post, information on her son’s school from a photo of him posted on her public Instagram account two weeks prior, and her personal email address left under a Twitter thread a few days ago.
Armed with this information, they simply needed to play on her ignorance, as well as the human emotion of fear and urgency.
While this scenario is hypothetical, it is not farfetched.
To gain unauthorised access into company networks and data, cybercriminals usually target the people within the organisation. This is because technological defences like antivirus, firewalls, spam filters have gotten very sophisticated and keep evolving.
It is well known that more than 90% of corporate data breaches are as a result of human error. In fact, this realisation has held steady over the years and has resulted in the birth of a human-centric cybersecurity solutions industry that is currently worth more than $1 billion and is expected to reach $10 billion by 2027.
Companies are increasingly investing in security awareness training and empowering their employees on how to detect threats, stay safe online, and be an effective last line of defence when the organisation gets attacked by cybercriminals. However, not all employees have access to these very beneficial security awareness training programs, with a recent Google survey showing that almost 50% of employees have received little to no training from their organisation.
Security awareness training or not, it is still your responsibility to ensure that the steps you take across the entire digital spectrum are safe, well thought out, and circumspect. The information you put out there, especially concerning you, have incredible value. Data is gold, and whoever has access to and can mine information about you can significantly impact your life and the decisions that you make.
Whereas brands and companies use your data for good (in most cases), for example, to serve you relevant ads or give you tailored search results, a cybercriminal does not have such noble intentions.
Kike’s scenario mentioned above is an example of a cyber-attack that leverages a tactic referred to as spear phishing. This is a highly targeted form of social engineering scam that involves bespoke emails being sent to well-researched victims. While it is almost impossible to stop with technical defences alone, it is also difficult to detect without close inspection and adequate knowledge of what to look out for.
There is often the temptation to think of yourself as someone who cannot be at the centre of such a targeted and intelligent scheme. You probably think you do not have the kind of money, power or influence that would motivate a hacker to dedicate the necessary effort that goes into the planning and detailing of spear phishing attacks. However, what cybersecurity professionals know is the fact cybercriminals target people – across departments, job roles/functions, and income level. And the key factor here is you, a human being largely unable to evolve past certain emotions like:
That unpleasant feeling caused by the belief that someone or something is dangerous or in danger. It is perhaps one of the most powerful emotions that everyone can identify with, powerful in its ability to drive you to quick actions devoid of critical thinking.
An inordinate desire for things. That anxiety and restlessness that makes you click on a link to a 100-dollar voucher for a survey you supposedly participated in even though you have no memory of having done any surveys in the past six months.
The desire to do good and the willingness to help others. It is not only negative emotions that cybercriminals leverage to carry out nefarious acts. They sometimes bet on the fact that your propensity to lend a hand and keep people happy will encourage you to divulge or accept more information than you should.
Remember that time you clicked on a link that said, “How to lose 10 lbs. in 10 min!” because, well, how is that even possible? As humans, we are curious by nature, and curiosity is one of the key drivers of many great innovations and inventions. However, in navigating the digital terrain, unguided curiosity can have seething consequences and could lure us into these traps that have been carefully set by threat agents.
These emotions are some of the reasons why you are a vulnerability, and most especially, one that cybercriminals are eager to exploit to gain access to corporate networks. In thinking about spear phishing, do not be quick to dismiss yourself as an unworthy or unlikely candidate because of your perceived lack of wealth/power/influence.
The line between the physical and digital world has been blurred by the internet revolution. Digital innovations and technology have enhanced the quality of our lives in many ways, and have helped us to make quick progress and be more productive. It has also made it easy for savvy criminals to do their job. Never has it been so important to learn how to stay safe online, keep your data private, spot phishing emails when they infiltrate your inbox, and be mindful of your online interactions and how you consciously or unconsciously give out information. Your organisation may have a program in place to teach you these things, but if they don’t, it is your responsibility to do the right things necessary to keep yourself (and, consequently, your organisation) safe.