Gen X types, myself included, like to talk nostalgically about the first time they received a scam email. They were easy to spot - an insanely lucrative offer that was written in less-than-perfect English. The emails, which usually made copious use of caps, often alluded to some foreign royal intrigue that could only be solved by making a transfer of inheritance money into the bait’s bank account.
These seemingly wistful memories can create a false sense of security when faced with the sophistication of the real cyberthreats we face today. My sense of irony of these hamfisted attempts at wire fraud did nothing to protect me when I received a realistic-looking email saying my HR benefits selection was incomplete. The email was in the right format, utilized the right tone, and was timed perfectly for me to worry I had forgotten to finalize something. I clicked on the prompt.
Lucky for me, it was actually a test email from my company to see how good the workforce was at spotting fake phishing attempts. (Not very, apparently.) If I had slowed down, I would have spotted that it was sent from an obviously wrong email address.
Smugness is an often overlooked weak point in any cybersecurity threat. If users are assuming they can weed out the fake emails by looking for sloppy design or obvious grammatical errors, they will be quicker to click on the more sophisticated attacks. And if IT cybersecurity service architects believe they have a more sophisticated operation than hackers, they may make the same mistakes as smug users like me.
Recently, the news magazine The World profiled the work of IT analyst Jon Dimaggio, who spent a year undercover interacting online with the international hacking group, LockBit, which, by some estimates, accounts for some 44 percent of the ransomware attacks worldwide. What Dimaggio found is that LockBit’s leader, a hacker who goes by the name LockBitSupp, endeavored to run his criminal enterprise as much like a professional corporate IT business as possible. To do this, he sponsored contests, created sophisticated dashboards with push notifications, and even offered money for those who would get LockBit’s logo tattooed on their body. (Several people took him up on this offer.) He even has worked to create a network of affiliates by creating firm commitments to share the wealth with those who essentially license his group’s malware.
In other words, he’s endeavored to create a strong corporate culture, and has taken great pains to consider the “employee” experience of his network of hackers. I am sure there are legitimate IT orgs who haven’t given the same level of thought to their XLAs and branding. There still are a huge number of sloppy smash-and-grab hackers out there who are easy for IT pros to outthink, but cybersecurity professionals should always remember they are competing against other cybersecurity professionals, just with different motives and methods of working.
And we should definitely do away once and for all with the false security blanket of an idea that a language barrier will protect us from cybersecurity phishing threats. Aside from being an imperialistic and somewhat racist notion, it simply will be less and less true in the future. Not only are remote language-learning resources making English more accessible to everyone, but over time English is losing its utter dominance as the language of business. And now we must add to the mix the sophistication of generative AI, which can create nearly flawless, sophisticated text with minimum input.
All this will make it more important than ever to craft stronger network firewalls and better two-step authentication procedures, and to enhance cybersecurity training to get folks to slow down to verify the origins of every email that asks us for information or to click on a url. Smugness will not save us from hackers, but wisdom and humility just might.